[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] JPMorgan/RSA message
Yes, Trevor is correct. n PSTP, the Signature Gateway holds the private keying material of the asymmetric pair. The client authenticates him or herself with the OTP. The <ReturnUpdatedSignature> field is interesting; however, its semantics may be a bit too narrow: "Alternatively, the output may contain an entirely new signature on the same input documents as the input signature". While these semantics are useful, other alternatives may also be applicable. For example, we could potentially permit the output to contain a signature of the client's signature. Thus, when the recipient receives the output, the recipient could validate the second signature without undergoing the potentially cumbersome task of matching against the original input documents. The Signature Gateway should operate in both the request/response and the in-line models. Perhaps, the Signature Gateway profile should consider routing to be out of scope. Through out-of-band configuration, the Signature Gateway server would know whether it is an in-line proxy, or a request/response server. We need to be careful with the binding specification to take into account the advanced services offered by the latest security technology. Deep packet inspection firewalls currently have the ability to filter HTTP POSTs searching for issues such as cross site scripting attacks and SQL injection. Through the same technology, the deep packet inspection firewalls could detect the specific profile of a DSS signature gateway request. So, I am not sure that the SOAP binding would be strictly necessary. Glenn "Nick Pope" <pope@secstan.com To: "Trevor Perrin" <trevp@trevp.net>, <dss@lists.oasis-open.org> > cc: Subject: RE: [dss] JPMorgan/RSA message 10/18/2004 04:56 AM > In the example, Ke was the public key. > Thanks Trevor. I missed that. So the Signature Gateway has the private key? Nick > -----Original Message----- > From: Trevor Perrin [mailto:trevp@trevp.net] > Sent: 18 October 2004 08:15 > To: dss@lists.oasis-open.org > Subject: RE: [dss] JPMorgan/RSA message > > > At 08:24 PM 10/17/2004 +0100, Nick Pope wrote: > >Glen, > > > >Your input are very useful in bringing in a fresh perspective on > what we are > >doing in DSS. > > > >Firstly, can I check that I have a proper understanding of the > operation of > >the PSTP protocol. Is the private key used to protect the symmetric keys > >(referred to as Ke) loaded up to the client system within the Applet / > >Active X code, or loaded separately into the client system by some other > >means? > > In the example, Ke was the public key. > > > >Secondly, I like the idea of the Signature Gateway profile. I > can see this > >have a wide number of uses, taking a signature, adding information on its > >validity and applying a second signature. > > Yeah, this is another example of Verify-then-Sign (use Verify protocol, > with the <ReturnUpdatedSignature> option). > > > >Do I understand the proposed operation of the Secure Gateway is > an in-line > >message service. Would this be using SOAP or similar protocol? The DSS > >currently operates on a request / response with the response > going back to > >the original client. > > Yeah, we need to drill into this more (where exactly DSS fits in > an inline > Signature Gateway). > > > Trevor > > > > To unsubscribe from this mailing list (and be removed from the > roster of the OASIS TC), go to > http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_wor > kgroup.php. > > > To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php .
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]