[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] JPMorgan/RSA message
Yes, Trevor is correct. n PSTP, the Signature Gateway holds the private
keying material of the asymmetric pair. The client authenticates him or
herself with the OTP.
The <ReturnUpdatedSignature> field is interesting; however, its semantics
may be a bit too narrow: "Alternatively, the output may contain an entirely
new signature on the same input documents as the input signature". While
these semantics are useful, other alternatives may also be applicable. For
example, we could potentially permit the output to contain a signature of
the client's signature. Thus, when the recipient receives the output, the
recipient could validate the second signature without undergoing the
potentially cumbersome task of matching against the original input
documents.
The Signature Gateway should operate in both the request/response and the
in-line models. Perhaps, the Signature Gateway profile should consider
routing to be out of scope. Through out-of-band configuration, the
Signature Gateway server would know whether it is an in-line proxy, or a
request/response server.
We need to be careful with the binding specification to take into account
the advanced services offered by the latest security technology. Deep
packet inspection firewalls currently have the ability to filter HTTP POSTs
searching for issues such as cross site scripting attacks and SQL
injection. Through the same technology, the deep packet inspection
firewalls could detect the specific profile of a DSS signature gateway
request. So, I am not sure that the SOAP binding would be strictly
necessary.
Glenn
"Nick Pope"
<pope@secstan.com To: "Trevor Perrin" <trevp@trevp.net>, <dss@lists.oasis-open.org>
> cc:
Subject: RE: [dss] JPMorgan/RSA message
10/18/2004 04:56
AM
> In the example, Ke was the public key.
>
Thanks Trevor. I missed that. So the Signature Gateway has the private
key?
Nick
> -----Original Message-----
> From: Trevor Perrin [mailto:trevp@trevp.net]
> Sent: 18 October 2004 08:15
> To: dss@lists.oasis-open.org
> Subject: RE: [dss] JPMorgan/RSA message
>
>
> At 08:24 PM 10/17/2004 +0100, Nick Pope wrote:
> >Glen,
> >
> >Your input are very useful in bringing in a fresh perspective on
> what we are
> >doing in DSS.
> >
> >Firstly, can I check that I have a proper understanding of the
> operation of
> >the PSTP protocol. Is the private key used to protect the symmetric
keys
> >(referred to as Ke) loaded up to the client system within the Applet /
> >Active X code, or loaded separately into the client system by some other
> >means?
>
> In the example, Ke was the public key.
>
>
> >Secondly, I like the idea of the Signature Gateway profile. I
> can see this
> >have a wide number of uses, taking a signature, adding information on
its
> >validity and applying a second signature.
>
> Yeah, this is another example of Verify-then-Sign (use Verify protocol,
> with the <ReturnUpdatedSignature> option).
>
>
> >Do I understand the proposed operation of the Secure Gateway is
> an in-line
> >message service. Would this be using SOAP or similar protocol? The DSS
> >currently operates on a request / response with the response
> going back to
> >the original client.
>
> Yeah, we need to drill into this more (where exactly DSS fits in
> an inline
> Signature Gateway).
>
>
> Trevor
>
>
>
> To unsubscribe from this mailing list (and be removed from the
> roster of the OASIS TC), go to
> http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_wor
> kgroup.php.
>
>
>
To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php
.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]