[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] Policy-wise Server profile doc
Thanks Trevor, responses inline Paul >-----Original Message----- >From: Trevor Perrin [mailto:trevp@trevp.net] >Sent: Sunday, February 22, 2004 7:29 PM >To: Paul Madsen; dss@lists.oasis-open.org >Subject: Re: [dss] Policy-wise Server profile doc > > >At 08:46 AM 2/17/2004 -0500, Paul Madsen wrote: > >>Hi, enclosed is the Policy-wise Server Profile, based on >Trevor's profile >>template. > >Hi Paul, > >Looks good generally, a few comments: > > >Line 6, Document identifier should be: >"oasis-dss-1.0-profiles-pws-spec-wd-01" Fixed > >Lines 12-21, Remove list of contributors Fixed > >Line 75, remove "and signature profiles..." Fixed > >Lines 99-100: I think you don't need a URI identifier, so you >could say >"This profile does not specify a URI identifier". I'll update >the template >doc to mention that. Fixed > >Line 121: <IntendedAudience> instead of <Recipient> > Fixed >Lines 122-132: let's discuss this some more, and try to >determine whether >it's necessary, or needs to be put into core. > Agreed >Line 161: I forgot the <SignatureObject> section in the template by >accident, it's a good section to add. However, I think the >PWS profile >could just say: "This profile does not specify or constrain >the type of >signature object". Clients are required to send the ><SignatureObject> by >the core. > Fixed >Line 163: so clients MUST send <Document> for signing, but >they're allowed >to send <Document>s or DocumentHash>es for verifying? > My thinking was that, at least for XML data, for the client to be able to send <DocumentHash>es in a <SignRequest> would imply that it knew over which elements the signature would be calculated - this incompatible with its level of policy knowledge. For a VerifyRequest, this constraint wasn't relevant - a client's ability to support sending only the <DocumentHash> reflecting only its XML and math capabilities rather than policy or trust management abilities. To be honest, I haven;t fully thought through how this constraint (not sending the hash on a <SignRequest>) can be made compatible with scenarios where the source data to be signed is non-XML and so the client can more reasonably be expected/allowed to calculate the hash. Perhaps we should loosen it here and tighten appropriately in the concrete profiles. >Line 169-171: This is redundant with the core document, >section 4.3 #5. So >I think you could delete this section. Section 4.3 specifies processing for the 'primary' <Signature> within a <VerifyRequest>, i.e. that which motivates the request. This section of the PWS Profile was intended to specify processing to be performed by the DSS Server for any other <Signature>s, e.g. those calculated by some external policy authority over a policy statement. > > >Trevor > > >To unsubscribe from this mailing list (and be removed from the >roster of the OASIS TC), go to >http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_ workgroup.php.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]