OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [dss] FW: XML Key Management Specification Last Call - need review/feed back

See the way we do that for XKMS services. 

Basically it would be a usekey with with the protocol specifying the URI
identifier for DSS (probably the same as the schema identifier) and the
address specifying the SOAP role/actor/URI/whatever it is this week.

		Phill

> -----Original Message-----
> From: Trevor Perrin [mailto:trevp@trevp.net]
> Sent: Monday, April 21, 2003 3:05 PM
> To: Robert Zuccherato; 'DSS TC'
> Subject: Re: [dss] FW: XML Key Management Specification Last 
> Call - need
> review/feed back
> 
> 
> At 10:55 AM 4/21/2003 -0400, Robert Zuccherato wrote:
> 
> >I received the following message from Shivaram Mysore, one 
> of the chairs of
> >the XKMS WG.  The XKMS specification has entered its last 
> call process.  Are
> >there any comments that we, as a TC, wish to make to the XKMS WG?
> 
> It would be nice if the public key used by an (identified requestor / 
> single key pair) DSS service could be registered and located.
> 
> For example, suppose Acme.com has a DSS service that it 
> trusts to sign for 
> Alice@Acme.com.  Suppose this DSS service has a single key 
> pair, and when 
> it signs, it adds "Alice@Acme.com" as a signed attribute to 
> identify the 
> requestor.
> 
> You'd like to be able to query the Acme.com XKMS service for 
> Alice@Acme.com, and retrieve the DSS service's key.  However, 
> the XKMS 
> service wouldn't want to say "this is Alice's signature key", 
> cause that's 
> untrue - you can't assume everything signed by this key is from 
> Alice.  Instead, the XKMS service would need to say "this is Alice's 
> *delegated* signature key", indicating that if you receive a 
> signature 
> signed by this key *and* with Alice's name as a signed 
> attribute, only then 
> you should assume the signature was produced under Alice's control.
> 
> I think this could be done by adding a new 
> "DelegatedSignature" value to 
> the <KeyUsage> element: 
> <KeyUsage>DelegatedSignature</KeyUsage>.  We could 
> at least ask them about something like this.
> 
> Trevor
> 
> 
> 
> 
> 
> 
> 
> 
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]