OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: SHA-1 and digital signature authentication

Title: SHA-1 and digital signature authentication

Colleagues - Here is proposed text for Section 4 of the Core specification, dealing with authentication using SHA-1 and authentication using digital signature.  Best regards.  Tim.

4.1.7 SHA-1

This authenticator element is the result of computing a digest, using the SHA-1 hash algorithm.  It is used when the subject can be represented as a binary string, for example when it is an XML document or the disk image of executable code.  Any preprocessing of the subject prior to computation of the digest is out of scope.  The name of the subject should be conveyed in an accompanying NameIdentifier element.

     Protocol element URI is tbd.
     AuthenticationData is a string containing the encoded digest.
     ds:KeyInfo is absent.

4.1.8 PKCS#7

This authenticator element is signed data in PKCS#7 format [PKCS#7].  The posited identity of the signer must be conveyed in an accompanying NameIdentifier element.  This subject type may be included in the subject field of an authentication query, in which case the corresponding response indicates whether the posited signer is, indeed, the signer.  It may be included in an attribute query, in which case, the requested attribute values for the subject authenticated by the signed data are returned.  It may be included in an authorization query, in which case, the access request represented by the signed data shall be identified by the accompanying object element, and the corresponding authorization decision assertion indicates whether the signer is authorized for the access request represented by the object element.

     Protocol element URI is tbd.
     AuthenticationData is a string containing the signed PKCS#7 data, including a signature verification certificate for the signer.

     ds:KeyInfo is absent.

4.1.9 Cryptographic Message Syntax

This authenticator element is signed data in CMS format [CMS].  See also 4.1.8

     Protocol element URI is tbd.
     AuthenticationData is a string containing the signed CMS data, including a signature verification certificate for the signer.

     ds:KeyInfo is absent.

4.1.10 XML Digital Signature

This authenticator element is signed data in XML Digital Signature format [XML-SIG].  See also 4.1.8.

     Protocol element URI is tbd.
     AuthenticationData is a string containing the signed XML data.  It may include a signature verification certificate for the signer.

     ds:KeyInfo may include a signature verification certificate for the signer.

[PKCS#7] Kaliski, B., "PKCS #7: Cryptographic Message Syntax, Version 1.5.", RFC 2315, March 1998.

[CMS] RFC 2630 Cryptographic Message Syntax. R. Housley. June 1999.


------------------------------------------------------------------------
---------------
Tim Moses
Tel: 613.270.3183

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC