OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

bdxr message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [bdxr] smp:Certificate

Hi Pim

I believe SMP enables out-of-band trust models, but do not necessarily require that such a model is in place for endpoints in the network. The /ProcessList/../Endpoint/Certificate becomes useful in networks such as PEPPOL, where the sending party's endpoint wishes to validate the signature of the receiving party's endpoint. In this case the /ProcessList/../Endpoint/Certificate holds the public key of the receiving endpoint, and the sending endpoint can compare the signature of the receiving endpoint with the key in the authoritative response from the SMP before sending the business document.

Most file exchange protocols will probably not support such disruption of an initiated exchange based on an on-the-fly validation of a public key in the SMP response, or it would require a complicated modification of the software at best. PEPPOL's START protocol was intended to support this, and it continues to be a requirement in PEPPOL for the sending endpoint to validate the signature of the receiving endpoint with the certificate in the SMP record.

You are also right that in the case that an out-of-band trust model then this feature of the SMP becomes redundant.

Best regards,

Kenneth


From: bdxr@lists.oasis-open.org [bdxr@lists.oasis-open.org] on behalf of Pim van der Eijk [pvde@sonnenglanz.net]
Sent: Monday, January 26, 2015 4:45 AM
To: bdxr@lists.oasis-open.org
Subject: [bdxr] smp:Certificate



Hi,

I have some questions on smp:Certificate:

/ProcessList/../Endpoint/Certificate  is defined as "Holds the complete [X509v3] signing certificate of the recipient gateway, as a PEM base 64 encoded DER formatted value."

1)  Where is this certificate used?   I could imagine it would enable a sender to validate that a signed receipt is using the correct certificate.  But since SMP already requires an out-of-band trust model for sender certificates,  I'm not sure why the option would be there for receiver certificates.  

2)  Since the definition is explicitly about signing certificate,  how does a sender know which encryption certificate to use for a particular receiver? 

Kind Regards,

Pim


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]