OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [dss] EPM use cases: some questions and one requeriment.

At 04:11 PM 6/18/2003 +0200, Juan Carlos Cruellas wrote:

>Translating this situation to our services, I think that the
>validation service should be designed in such a way that
>the requestor COULD request from the service, not only
>the validation result but also the cryptographic material
>used for that verification. Indeed section 3.7.5 explicitely
>says that the sevice "may also return information used
>in verification).
>Section 3.6.2 talks about "Explicit key and validation
>info submitted by client (Certificates, CRLs, OCSP
>responses). To me, this means that the text contemplates
>the possibility of the client sending the validationdata.
>I would say that there will be lots of
>times when client will not want to get involved in
>looking for CRLs or answering to OCSP servers.
>What is missing is to allow him to request this validation
>data as part of the answer.

Good point.


>And as in the list of requeriments for Signing Request, we have
>section 3.4.4 Explicit Signed/Unsigned Attributes,
>I think that we could add something similar to section 3.6:
>
>INITIAL PROPOSAL:
>"3.6.3 Explicit Unsigned Attributes
>The client may ask the server to insert particular attributes
>in the signature, as for instance, the validation data (CRLs or
>OCSP responses) used in the validation, for storage purposes."

What about adding a new bullet to 3.6.2, "Whether Information used in 
verification should be returned"?

You raise another interesting point - I didn't realize that 3.7.5 meant the 
server would return this information as unsigned attributes on the 
signature, I just thought it would return it separately.  This text is from 
Nick, he was probably thinking the same as you.  So I would guess this 
means updating the signature to an XAdES-X-L or something, with all the 
certificate and CRL data attached?

Is this as simple as the client just saying "yes, attach the verification 
data" or "no, don't", or does the client need to indicate different levels 
of what it wants included?

Trevor

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]