OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss-x message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [dss-x] HSM Proxy DSS profile

Hi Andreas,


Indeed, this Proxy HSM offers raw PKCS1 signature operations, but using a centralized key management, whereas the idea behind Local Sig Comp is that the client itself holds the signing token (e.g., a smart card).

I've read your feedback on the Local Sig Comp profile. Decomposing the work would indeed make sense as I'm afraid that the current scope is way too broad. No matter how the actual connection between the DSS and the PKCS1 device has been implemented, the first problem that you need to tackle (and that, from an interoperability point of view, actually demands for standardization) is the protocol between the web application and a DSS service over web browsers. Hence in my view the first work package is constructing an OASIS DSS profile that defines message level security as I already suggested in:

https://lists.oasis-open.org/archives/dss-x/201209/msg00028.html

Later on we could try to also detail on the actual DSS-PKCS1-device protocol, but again, in my view this is merely a DSS service implementation detail. I.e., similar to SAML where the actual authentication mechanism is also completely out of scope as it is business/technology specific and from an interop-point-of-view actually doesn't matter at all.


Kind Regards,
Frank.

On 05/21/2013 10:12 AM, Andreas Kuehne wrote:
Hi Frank,

FYI... I've been working on a new product named "HSM Proxy" which
maybe is an interesting use-case of the OASIS DSS protocol.
The HSM Proxy custom DSS profile has been documented at:
http://hsm-proxy.googlecode.com/files/hsm-proxy-ws-specs-0.3.0.pdf

Although still a work-in-progress, this initial specification should
give you an idea of what I'm trying to construct. 

interesting!

The PKCS1-only profile I mentioned in my mail (one hour ago) could be an
aspect of your HSM proxy. The usual HSM talks plain PKCS1, didn't it?

Greetings,

Andreas

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that 
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]