RE: [dss] Representing requestor's identity

[Trevor Perrin <trevp@trevp.net>]

At 05:07 PM 4/29/2003 -0400, jmessing wrote:

>Where a person signs on behalf of another person or an entity, which is an 
>essential element of delegated signing, it would be handy to have a 
>standard way of communicating  between applications and entities how the 
>authorizations were set up and for how long they are intended to last. It 
>could be critical to certain types of transactions.
>
>It is related to identification of a signer, but not identical to it.

This sounds less like signed attributes the signer would add to a 
particular signature, and more like policies, validity intervals, and name 
constraints a CA would add to the DSS Server's certificate.

In other words, you wouldn't trust the DSS Server to say "I'm authorized to 
sign for Bob", you'd trust some higher-level authority to say "the DSS 
Server is authorized to sign for Bob".

So this seems a matter of trust infrastructure that's out of scope for 
us.  Though once I pointed out that if we wanted DSS services to be able to 
have an X.509 cert that says "I'm authorized to sign for *@acme.com", we 
could try to convince PKIX that a cert with SubjectName 
"delegated-signing-authority@acme.com" should have that semantics, or 
something:
http://lists.oasis-open.org/archives/dss/200302/msg00019.html

Trevor

>---------- Original Message ----------------------------------
>From: Trevor Perrin <trevp@trevp.net>
>Date:  Tue, 29 Apr 2003 13:08:06 -0700
>
> >At 08:03 AM 4/29/2003 -0400, jmessing wrote:
> >
> >>Apart from some of the identity and authentication issues being debated
> >>with regard to SAML, I would like to see a somewhat richer set in the base
> >>where for example the corporate signing use case is involved.
> >>
> >>Besides a signer's identity, could we indicate where the signer is signing
> >>on behalf of another person or entity
> >
> >I think this is implied by the signed attribute for "Requestor Identity".
> >
> >>--title
> >
> >of the Requestor?  Within a SAML Assertion, it would be easy to give
> >further attributes of the Requestor (like his title) with 
> AttributeStatements.
> >
> >>--signature authorization (as in legal authority or delegated permission)
> >>--duration of signature authorization
> >
> >not sure what the above mean.  Are you sure they have to do with
> >Identifying the Requestor, and aren't just other signed attributes that a
> >DSS Service might add, but which our protocol doesn't have to take into
> >account?
> >
> >>--individual who granted authorization to sign
> >
> >I.e. the Requestor Identity?
> >
> >
> >Trevor
> >
> >
> >
> >