RE: [dss] Re: Authentication of Claimed Identity

[Trevor Perrin <trevp@trevp.net>]

At 08:24 PM 11/4/2004 +0000, Nick Pope wrote:
>Trevor, Juan Carlos,
>
>One final thought before I shut up and accept including signatures.
>
>If I would want to include a signature from the requester I am not sure that
>this is the best place.  Including the request in a SOAP envelope provides
>all that is needed already.

You'd need WSS too.  Maybe people think that's too heavy a stew of 
technologies.  I dunno, but that argument applies to any form of 
authenticaton info, not just signatures.  Yet people seemed to want 
<SupportingInfo>, so putting authentication info in the binding must not be 
suitable in all cases.

As far as just not mentioning signatures, to avoid confusion: that would 
seem odd to me, since they're a common type of authentication info.  The 
text I suggested goes out of its way to say the signature or MAC would be 
"over the request" and performed "using a client key", which should make it 
clear this is different from the <SignatureObject> you're asking the server 
to verify.


>Just saying digital signature opens up in my
>mind many questions of whether this signature is in an XML Signature, if so
>why isn't it like any other input signature?

You're not asking the server to process this signature, you're using the 
signature to authenticate yourself to the server and protect your 
communications with it.


>If not how can the data being
>signed be identified and issues such as canonicalisation addressed?

Up to profiles.


Trevor