OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [dss] RE: EPM

Once again see my replies below, Steve Gray

-----Original Message-----
From: Trevor Perrin [mailto:trevp@trevp.net]
Sent: Friday, June 06, 2003 12:04 AM
To: dss@lists.oasis-open.org
Subject: [dss] RE: EPM


At 06:37 PM 6/5/2003 +0200, Gray Steve wrote:
>Trevor wrote:
>   - The sender's EPM stores certain data about the signed document,
indexed
>by TransactionKey, so that when the recipient comes to this EPM and
>requests to Verify the message, the sender could be notified, or the
>request will at least be logged.  But if the recipient goes to his own EPM
>service to Verify, and not the sender's, then how is notification and
>non-repudation of receipt accomplished?
>
><UPU> The services will be linked as part of a global service, however, the
>verify is simply checking a CRL, so that is based on the reference in the
>certificate.
></UPU>
>
>   - How is the ParticipatingParty list used in different use cases?  Its
>function isn't clear to me.
>
><UPU> This relates to closing the group for a particular document, only the
>parties on the list can verify sign, etc. The list is created up front.
></UPU>

It's not totally clear to me what it means that "The services will be 
linked as part of a global service", and whether/how notification and 
non-repudiation of receipt would work on a global scale (when the sender 
and receiver are talking to different EPMs), 

<UPU> OK, the global service is primarily for global standards, policies,
consistency, etc. so that there is a standard service offering from the
Posts on an international scale. On the technical side, all the relevant
information about the EPM is contained in the EPM package that is then sent
to the relying party. For example, the digital signature used for signing,
and the location for doing a CRL check, the Time Stamping Authority, etc.
This is probably better explained demonstrating a transaction involving
multiple parties across borders and this will be provided in our use case
document  </UPU>


or what the purpose of 
"closing the group" for a particular document is, but I assume these will 
be elaborated in the use case submission.

<UPU> I suppose this is like an Access Control List that is hard code at the
beginning. In this scenario, the document would have to be encrypted using
the public keys of the parties in the list.  There was a specific
requirement for this, but it is also something that can be achieved through
basic encryption of a docuemnt  </UPU>


>Trevor wrote:
>   - For the "Verify" operation, the client sends a "pkcs7data".  Is this
>just a pkcs7 signature encapsulating the signed data?  Yes. Does that mean
>detached signatures aren't supported?  No.
>Have you considered client-side
>hashing as an option? (the client sends a hash of the content instead of
>the content itself).  This could be supported for both Sign and Verify, and
>gives advantages in efficiency and privacy.
>
><UPU> we support both attached and detached. It is a client application
>decision.  </UPU>

So if the client sends a detached signature as pkcs7data for a Verify 
operation, the server will verify the signature over the signed attributes 
(including the message-digest signed attribute), but the client will have 
to do client-side hashing to check that the document matches this attribute?

If I understand correctly, this requires client-side hashing for detached 
signatures, and disallows it for "attached" signatures.  It might be nice 
if client-side hashing was an option unrelated to the type of signature you 
were verifying.  Also, it would be nice if you could do client-side hashing 
when using an EPM to create signatures (with the "Sign" operation).

These are features that the DSS TC seems willing to work on.  They could 
possibly be a benefit to EPM, if we could fuse our work together.

<UPU> Once again, let us present some scenarios in our use case document
which might clarify hashing and signing further </UPU>

>   - For the "Encrypt" and "Decrypt" operations, have you similarly
>considered client-side symmetric encryption (the client sends only the
>symmetric key for enveloping when encrypting, and sends only the envelope
>for decrypting; same advantages as client-side hashing).
>
><UPU> we could do non PKI, but we don't right now. We are concentrating on
>DSS for legally binding cases

By client-side symmetric encryption, I didn't mean to change the PKI nature 
of encryption/decryption - but even when using PKI, there's a symmetric 
encryption component using a "Content-Encryption Key", and then there's 
enveloping/de-enveloping of the CEK using asymmetric keys.  EPM has 
"Encrypt" and "Decrypt" operations that do both content-encryption and 
CEK-enveloping at the server-side.

It would be possible to do content-encryption/decryption on the 
client-side.  The client encrypts the content with a symmetric key, then 
sends the key to the server.  The server envelopes it to the recipient and 
returns a CMS RecipientInfo, which the client incorporates into a CMS 
EnvelopedData.  On the receiving side, the client could send the 
RecipientInfo to the server and receive back the CEK.

This has the same advantages as client-side hashing: if the message is 
large (say multi-megabyte), it doesn't have to be sent back and forth 
between clients and servers.  Also, the EPM servers are never given the 
plaintext of the message, so there's greater privacy (the EPM servers 
could, of course, intercept the ciphertext and decrypt it, but that's more 
work).

I'm not sure what legal ramifications there are to this.  Since EPM already 
has Encrypt/Decrypt operations, and client-side en/decryption would only 
reduce the amount of trust that needs to be placed in EPM servers, I 
wouldn't think any?

<UPU> OK, I will dicuss with my more technical colleagues to see if they
have any comments </UPU>

>Are you concerned with the fact that your protocol may not address legal
>issues if the client has to authenticate at the Server and not with their
>own keys
></UPU>
   - If the Sign operation occurs using the Postal Admin's private signing
>key, then does the recipient of the document receive any information on the
>identity of the client who requested the signature be performed?  If not,
>what good is the signature?  If so, how is this information transmitted
>(for DSS, we're thinking that the client requesting the signature must
>authenticate to the server, and the server inserts the client's name into
>the signature as a signed attribute).
>
><UPU> No, if I understand you correctly, this is totally non-binding
legally
></UPU>

This is worth investigating - i.e., what are the legal ramifications of a 
DSS server signing with its own keypair, but embedding the name of a client 
and claiming the signature came from this client?

Certain uses of DSS may not care about legal issues (e.g., where you're 
signing and verifying documents solely for the purpose of sender 
authentication, not for non-repudiation).  In other cases, the DSS may be 
the signer in a legal sense, so the embedded Requestor Identity will be 
purely informative.

However, the most interesting question is whether such a signature could 
stand up in court as having come from the client.  What I know about 
digital signature laws mostly comes from part of Peter Gutmann's crypto 
tutorial -
http://www.cryptoapps.com/~peter/part2a.pdf

He divides these laws into "prescriptive" and "hands-off" approaches.  The 
prescriptive ones (Utah, German, Italian, ETSI, Swedish) have all sorts of 
requirements on exactly what you and your CA must do to comply.  The 
hands-off ones (California, Massachusetts, US E-Sign, UNCITRAL) are more of 
the form "You can't refuse a signature just because it's digital", and 
don't mandate specific technologies (e.g. I signed my (US) tax returns 
using a PIN).  He mentions the EU Directive as a "mixed" approach.

Anyways, I would expect Identified Requestor signatures to comply with 
hands-off laws but not prescriptive ones.  As for the EU Directive, an 
Identified-Requestor signature might be an "Electronic Signature" but not 
an "Advanced Electronic Signature", since it is not "created using means 
that that signatory can maintain under his sole control".

Would you agree with this?  What laws has the EPM project identified as 
most relevant?

<UPU>  We are still investigating the various laws, but at this stage the
European laws appear to be the most stringent. In North America, the Posts
are able to classify their electronic services as mail and therefore
traditional mail tampering laws can also apply. With case law, this is all
very well, until you get an actual case to test the law. </UPU>

>   - The Locate and Encrypt operations let you specify the recipient with a
>DN or URL.  Why not an email address? (or can you include the email address
>as an URL?)  I'm surprised the docs you sent us don't mention EPM in the
>context of secure email, but instead talk about document applications like
>Office, Acrobat, etc...
>
><UPU> Certainly the EPM can be used for email. We can provide more
>information in our Use Case document. For looking up public keys, the LDAP
>protocol doesn't support just an email address </UPU>

You can search an LDAP based on an emailAddress.  But I guess knowing which 
directory to search and how to form the query depends on the directory 
structure.  Probably that's why XKMS and HTTP certstore present a simpler 
interface for retrieving certs and public keys by just querying on the 
email address.

Is EPM assuming everyone will be known by Distinguished Names that are part 
of a properly formed tree, and that there will be a space of LDAP 
directories linked with referrals where you can find people's certificates?

<UPU> No, we can't assume this, but the policies of the Posts will be
determined by the Liability they have to accept, with the main concern being
to ensure a certificate is verified efficiently. There will eventually be
many, many applications and accordingly many validation processes. The Posts
will not always be the CA. Therefore, control over how Directories are
configured will not always belong to the Posts. </UPU> 

Trevor 


You may leave a Technical Committee at any time by visiting
http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]