[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] JPMorgan/RSA message
In the case of an in-line Signature Gateway, is there any control information passed in to the gateway, or is it simply the gateway identifies a signature in the input stream and includes an updated signature in the output stream? Nick > -----Original Message----- > From: Glenn.Benson@chase.com [mailto:Glenn.Benson@chase.com] > Sent: 18 October 2004 15:54 > To: dss@lists.oasis-open.org > Subject: RE: [dss] JPMorgan/RSA message > > > > Yes, Trevor is correct. n PSTP, the Signature Gateway holds the private > keying material of the asymmetric pair. The client authenticates him or > herself with the OTP. > > The <ReturnUpdatedSignature> field is interesting; however, its semantics > may be a bit too narrow: "Alternatively, the output may contain > an entirely > new signature on the same input documents as the input signature". While > these semantics are useful, other alternatives may also be > applicable. For > example, we could potentially permit the output to contain a signature of > the client's signature. Thus, when the recipient receives the > output, the > recipient could validate the second signature without undergoing the > potentially cumbersome task of matching against the original input > documents. > > The Signature Gateway should operate in both the request/response and the > in-line models. Perhaps, the Signature Gateway profile should consider > routing to be out of scope. Through out-of-band configuration, the > Signature Gateway server would know whether it is an in-line proxy, or a > request/response server. > > We need to be careful with the binding specification to take into account > the advanced services offered by the latest security technology. Deep > packet inspection firewalls currently have the ability to filter > HTTP POSTs > searching for issues such as cross site scripting attacks and SQL > injection. Through the same technology, the deep packet inspection > firewalls could detect the specific profile of a DSS signature gateway > request. So, I am not sure that the SOAP binding would be strictly > necessary. > > Glenn > > > > > > > "Nick Pope" > > <pope@secstan.com To: "Trevor > Perrin" <trevp@trevp.net>, <dss@lists.oasis-open.org> > > cc: > > Subject: RE: > [dss] JPMorgan/RSA message > 10/18/2004 04:56 > > AM > > > > > > > > > > > In the example, Ke was the public key. > > > > Thanks Trevor. I missed that. So the Signature Gateway has the private > key? > > Nick > > > -----Original Message----- > > From: Trevor Perrin [mailto:trevp@trevp.net] > > Sent: 18 October 2004 08:15 > > To: dss@lists.oasis-open.org > > Subject: RE: [dss] JPMorgan/RSA message > > > > > > At 08:24 PM 10/17/2004 +0100, Nick Pope wrote: > > >Glen, > > > > > >Your input are very useful in bringing in a fresh perspective on > > what we are > > >doing in DSS. > > > > > >Firstly, can I check that I have a proper understanding of the > > operation of > > >the PSTP protocol. Is the private key used to protect the symmetric > keys > > >(referred to as Ke) loaded up to the client system within the Applet / > > >Active X code, or loaded separately into the client system by > some other > > >means? > > > > In the example, Ke was the public key. > > > > > > >Secondly, I like the idea of the Signature Gateway profile. I > > can see this > > >have a wide number of uses, taking a signature, adding information on > its > > >validity and applying a second signature. > > > > Yeah, this is another example of Verify-then-Sign (use Verify protocol, > > with the <ReturnUpdatedSignature> option). > > > > > > >Do I understand the proposed operation of the Secure Gateway is > > an in-line > > >message service. Would this be using SOAP or similar > protocol? The DSS > > >currently operates on a request / response with the response > > going back to > > >the original client. > > > > Yeah, we need to drill into this more (where exactly DSS fits in > > an inline > > Signature Gateway). > > > > > > Trevor > > > > > > > > To unsubscribe from this mailing list (and be removed from the > > roster of the OASIS TC), go to > > http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_wor > > kgroup.php. > > > > > > > > > > To unsubscribe from this mailing list (and be removed from the roster of > the OASIS TC), go to > http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_wor kgroup.php . To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php .
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]