Re: [dss] Signature Gateway Profile

[Trevor Perrin <trevp@trevp.net>]

At 05:29 PM 11/1/2004 -0500, Glenn.Benson@chase.com wrote:
>The Signature Gateway Profile incorporates the concept of a requestor who
>sends a signed message to a DSS server.  The DSS server validates the
>message and executes another signature.  What would be the best ways to
>handle the following concepts?
>
>1.  The signature created by the requestor has multiple purposes.

I thought the DSS "requester" didn't create the signature, but just 
intercepted and sent it to a DSS server?  I.e.:
  - PSTP signature created by some party, sent to inline proxy
  - inline proxy sends signature to DSS server, receives back updated signature
  - inline proxy forwards updated signature to backend server

In this case the PSTP signature is separate from "requester 
authentication".  The PSTP signature binds the signer to a document, 
requester authentication binds the requester to a request.


>One purpose is authentication; and another purpose is to protect the integrity
>of a  document included within the request.  How should the dual nature of
>the signature be referenced in DSS?  Should we take advantage of the XML
>ref construct by explicitly referencing the same signature from the
>SupportingInfo of ClaimedIdentity/RequesterIdentity and the signature of
>the document?

I don't think you need to do that, since <ClaimedIdentity> pertains to the 
DSS requester's identity, which is separate from the signer's identity.

[...]

>3.  The same request asks the DSS server to first verify a signature and
>then execute another signature.  Is this a signature request or a
>verification request?

Verify, with <ReturnUpdatedSignature>.


Trevor