[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] JPMorgan/RSA message
Nick,
Perhaps, DSS should consider investigating both answers to your question.
The deep packet inspection firewall vendors assure me that they can filter
the input and identify the signature in the input stream. However, the DSS
may also wish to consider specifying additional control information.
Glenn
"Nick Pope"
<pope@secstan.com To: <Glenn.Benson@chase.com>, <dss@lists.oasis-open.org>
> cc:
Subject: RE: [dss] JPMorgan/RSA message
10/19/2004 05:33
AM
In the case of an in-line Signature Gateway, is there any control
information passed in to the gateway, or is it simply the gateway
identifies
a signature in the input stream and includes an updated signature in the
output stream?
Nick
> -----Original Message-----
> From: Glenn.Benson@chase.com [mailto:Glenn.Benson@chase.com]
> Sent: 18 October 2004 15:54
> To: dss@lists.oasis-open.org
> Subject: RE: [dss] JPMorgan/RSA message
>
>
>
> Yes, Trevor is correct. n PSTP, the Signature Gateway holds the private
> keying material of the asymmetric pair. The client authenticates him or
> herself with the OTP.
>
> The <ReturnUpdatedSignature> field is interesting; however, its semantics
> may be a bit too narrow: "Alternatively, the output may contain
> an entirely
> new signature on the same input documents as the input signature". While
> these semantics are useful, other alternatives may also be
> applicable. For
> example, we could potentially permit the output to contain a signature of
> the client's signature. Thus, when the recipient receives the
> output, the
> recipient could validate the second signature without undergoing the
> potentially cumbersome task of matching against the original input
> documents.
>
> The Signature Gateway should operate in both the request/response and the
> in-line models. Perhaps, the Signature Gateway profile should consider
> routing to be out of scope. Through out-of-band configuration, the
> Signature Gateway server would know whether it is an in-line proxy, or a
> request/response server.
>
> We need to be careful with the binding specification to take into account
> the advanced services offered by the latest security technology. Deep
> packet inspection firewalls currently have the ability to filter
> HTTP POSTs
> searching for issues such as cross site scripting attacks and SQL
> injection. Through the same technology, the deep packet inspection
> firewalls could detect the specific profile of a DSS signature gateway
> request. So, I am not sure that the SOAP binding would be strictly
> necessary.
>
> Glenn
>
>
>
>
>
>
> "Nick Pope"
>
> <pope@secstan.com To: "Trevor
> Perrin" <trevp@trevp.net>, <dss@lists.oasis-open.org>
> > cc:
>
> Subject: RE:
> [dss] JPMorgan/RSA message
> 10/18/2004 04:56
>
> AM
>
>
>
>
>
>
>
>
>
> > In the example, Ke was the public key.
> >
>
> Thanks Trevor. I missed that. So the Signature Gateway has the private
> key?
>
> Nick
>
> > -----Original Message-----
> > From: Trevor Perrin [mailto:trevp@trevp.net]
> > Sent: 18 October 2004 08:15
> > To: dss@lists.oasis-open.org
> > Subject: RE: [dss] JPMorgan/RSA message
> >
> >
> > At 08:24 PM 10/17/2004 +0100, Nick Pope wrote:
> > >Glen,
> > >
> > >Your input are very useful in bringing in a fresh perspective on
> > what we are
> > >doing in DSS.
> > >
> > >Firstly, can I check that I have a proper understanding of the
> > operation of
> > >the PSTP protocol. Is the private key used to protect the symmetric
> keys
> > >(referred to as Ke) loaded up to the client system within the Applet /
> > >Active X code, or loaded separately into the client system by
> some other
> > >means?
> >
> > In the example, Ke was the public key.
> >
> >
> > >Secondly, I like the idea of the Signature Gateway profile. I
> > can see this
> > >have a wide number of uses, taking a signature, adding information on
> its
> > >validity and applying a second signature.
> >
> > Yeah, this is another example of Verify-then-Sign (use Verify protocol,
> > with the <ReturnUpdatedSignature> option).
> >
> >
> > >Do I understand the proposed operation of the Secure Gateway is
> > an in-line
> > >message service. Would this be using SOAP or similar
> protocol? The DSS
> > >currently operates on a request / response with the response
> > going back to
> > >the original client.
> >
> > Yeah, we need to drill into this more (where exactly DSS fits in
> > an inline
> > Signature Gateway).
> >
> >
> > Trevor
> >
> >
> >
> > To unsubscribe from this mailing list (and be removed from the
> > roster of the OASIS TC), go to
> > http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_wor
> > kgroup.php.
> >
> >
> >
>
>
>
> To unsubscribe from this mailing list (and be removed from the roster of
> the OASIS TC), go to
> http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_wor
kgroup.php
.
To unsubscribe from this mailing list (and be removed from the roster of
the
OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php
.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]