OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: About the next meeting

Dear all,

As next Monday  seems to be holidays in USA, the next
meeting will be re-scheduled for Monday June the second.
In the meantime I propose  to progress in the items that
appeared in the agenda I circulated for this conference, discussing
them by email, and trying to arrive to the next meeting in the best 
position that we can.... 

Just one comment on Item 5. If nothing is received on the additions
to the XKMS comments  22 of May the latest, I propose to send the original
comment made
by Robert:

---TEXT POSTED BY ROBERT:

The DSS TC would like to thank the XKMS WG for the opportunity to comment on
the Last Call Working Draft.  We have one comment related to a potential
enhancement to support our use cases.

A DSS service may produce signatures (such as XML-DSIG and CMS signatures)
for its clients - if it authenticates the client, it may attach the client's
name as a signed attribute to the signature - this way a client can produce
signatures that are associated with himself, without needing his own key
pair.

So it would be nice if a relying party can query an XKMS service on the DSS
client's name, and receive back the DSS service's key, but the XKMS client
would need to be told that this key is not in the sole possession of the DSS
client, but must be associated with the DSS client through a signed
attribute.

Two options appear feasible.  

This could be done by adding a new "DelegatedSignature" value to the
<KeyUsage> element: <KeyUsage>DelegatedSignature</KeyUsage>.  So for a given
protocol that uses signatures, an XKMS client could query for
<KeyUsage>DelegatedSignature</KeyUsage> as well as 
<KeyUsage>Signature</KeyUsage>.  This is simple, but would require a change
to XKMS.

Alternatively, the same an extra application URI could be defined for the
<UseKeyWith> element, for every protocol that uses signatures, to denote the
delegated signature version.  This requires the definition of an extra URI
for each protocol that uses signatures and thus seems more difficult to
support, in general.  It would not require a change to XKMS though.

---END OF TEXT

Regards

Juan Carlos.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]