[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Suggested addition to DSS Core - KeyInfo control
Hello all, Some applications require the ability to control what content is included in the <ds:KeyInfo> element of a <ds:Signature>. For example implementing access right checks and / or routing logic by automated servers processing signed XML transactions, so that the transaction may be rejected or routed based on the signer's identity as specified in a <ds:X509SubjectName> element. This may be done before or after the actual signature validation and possibly by a different module or application server. Extracting such information whenever needed from a <ds:X509Certificate> element may be deemed un-efficient in some cases. A specific use case is the MERS eRegistry (http://www.mersinc.org), an electronic registry of mortgage loans created by the US mortgage banking industry. MERS requires that received XML transactions are signed, and that XML signatures contain a <ds:X509SubjectName> element as well as <ds:X509IssuerSerial> in addition to the <ds:X509Certificate>. In addition, the <ds:RSAKeyValue> element may be required. Thanks to Eric Lengvenis for supplying this example. While it is certainly possible to expect this feature (controlling the content of <ds:KeyInfo>) to be defined by a server policy outside the scope of DSS, it seems to be a worthwhile and generic feature which may be useful in many circumstances. Thanks, - Uri Uri Resnitzky Chief Scientists, ARX http://www.arx.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]