[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] Re: Authentication of Claimed Identity
At 08:24 PM 11/4/2004 +0000, Nick Pope wrote: >Trevor, Juan Carlos, > >One final thought before I shut up and accept including signatures. > >If I would want to include a signature from the requester I am not sure that >this is the best place. Including the request in a SOAP envelope provides >all that is needed already. You'd need WSS too. Maybe people think that's too heavy a stew of technologies. I dunno, but that argument applies to any form of authenticaton info, not just signatures. Yet people seemed to want <SupportingInfo>, so putting authentication info in the binding must not be suitable in all cases. As far as just not mentioning signatures, to avoid confusion: that would seem odd to me, since they're a common type of authentication info. The text I suggested goes out of its way to say the signature or MAC would be "over the request" and performed "using a client key", which should make it clear this is different from the <SignatureObject> you're asking the server to verify. >Just saying digital signature opens up in my >mind many questions of whether this signature is in an XML Signature, if so >why isn't it like any other input signature? You're not asking the server to process this signature, you're using the signature to authenticate yourself to the server and protect your communications with it. >If not how can the data being >signed be identified and issues such as canonicalisation addressed? Up to profiles. Trevor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]