[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [dss] client-side hashing
Rich Salz wrote: >Trevor Perrin wrote: >>There may be an even better way to do this, with ds:Manifest. A client >>could submit a Manifest just like submitting any document, and the >>service would return a ds:Signature on that Manifest. > >Not quite, since an XML DSIG manifest doesn't require the receiver to >actually verify the individual hashes, just the manifest itself. Oh, I see. 5.1 - "The digests within such a Manifest are checked at the application's discretion". It's too bad you can't tag a manifest with something like a "MustValidate" attribute. The best way I can think of to support this, then, would be to have the client send a list of ds:References, and a selector for what type of signature he wants (CMS, XML DSIG, etc.). If DSIG, the service copies the references into a ds:SignedInfo, canonicalizes and signs it and returns the ds:Signature. If CMS, the list should only contain a single reference, which has no transforms or URI. The service will extract the digest value, sign it, and return a CMS SignerInfo along with a list of certs. Trevor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC