[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Signature policy profile
Hi all,
today I had a short mail chat with Peter Lipp, part of the ETSI
verification report task force. He mentioned their need for the
Sig Policy profile. I did check my old mails and documents and found out that major
parts of it are included in the core 2.0 (URIs of ServicePolicy in OptionalInput, AppliedPolicy in OptionalOutput). What's left out from Juan Carlos original profile is a mechanism to include the hash of the policy document into the request / response. I'm not convinced that it is necessary to hash a content that is already identified by a unique identifier. Moreover digesting a non-canonicalized object is a dangerous approach. In general, is there a need to double-ensure that a URI really means what it means? Please come up with a reason if you know one. Another aspect that wasn't transferred to core is an option to enumerate server-supported policies using a sign request. This breaks the sematic of the sign request. It should be handled by a service self describing interface. My current statement is 'the Sig Policy profile is supported by the core'. Please raise your concerns if you cannot agree to this view.
Greetings,
Andreas -- Andreas Kühne phone: +49 177 293 24 97 mailto: kuehne@trustable.de Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 Hannover Amtsgericht Hannover HRB 212612 Director Andreas Kühne Company UK Company No: 5218868 Registered in England and Wales |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]