OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

dss-x message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Suggested addition to DSS Core - KeyInfo control

Hello all,

Some applications require the ability to control what content is
included in the <ds:KeyInfo> element of a <ds:Signature>.

For example implementing access right checks and / or routing logic by
automated servers processing signed XML transactions, so that the
transaction may be rejected or routed based on the signer's identity as
specified in a <ds:X509SubjectName> element. This may be done before or
after the actual signature validation and possibly by a different module
or application server. Extracting such information whenever needed from
a <ds:X509Certificate> element may be deemed un-efficient in some cases.

A specific use case is the MERS eRegistry (http://www.mersinc.org), an
electronic registry of mortgage loans created by the US mortgage banking
industry. MERS requires that received XML transactions are signed, and
that XML signatures contain a <ds:X509SubjectName> element as well as
<ds:X509IssuerSerial> in addition to the <ds:X509Certificate>. In
addition, the <ds:RSAKeyValue> element may be required.
Thanks to Eric Lengvenis for supplying this example.

While it is certainly possible to expect this feature (controlling the
content of <ds:KeyInfo>) to be defined by a server policy outside the
scope of DSS, it seems to be a worthwhile and generic feature which may
be useful in many circumstances.


- Uri

Uri Resnitzky
Chief Scientists, ARX

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]