OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [dss] EPM use cases: some questions and one requeriment.

Juan carlos, Trevor,

Looking at this I realise that we have confusion over what is a "signature
policy" & "validation policy".  Currently, the Signature Policy as described
in ETSI covers validation requirements.

Do we want to have a signature policy which comprises the creation and
validation policy components?  Also, is it validation or verification?

Nick

> -----Original Message-----
> From: Juan Carlos Cruellas [mailto:cruellas@ac.upc.es]
> Sent: 25 June 2003 11:26
> To: dss@lists.oasis-open.org
> Subject: Re: [dss] EPM use cases: some questions and one requeriment.
>
>
> Trevor,
>
> I agree that it would be easier for the client to send   yes or not....
> but again, this means that, at least, the server will always have
> a policy at least, and perhaps different policies and the client
> means to know in advance which one is interesting for him....
>
> I would then add some text in 3.7.5 that explicitely relates the
> issue of returning the validation data with what is stated in
> the validation policy...what about addingsomething like:
>
> " accordingto what is stated in the corresponding verification policy."
>
> at the end of the sentence in 3.7.5?
>
> Juan Carlos.
>
> At 18:09 20/06/2003 -0700, Trevor Perrin wrote:
> >
> >This was supposed to be the "Verification Policy", where 3.4.4 is the
> >"Signing Policy".  These were intended to be identifiers that
> lump together
> >any parameters that aren't explicitly covered elsewhere, with
> the idea that
> >if the client doesn't identify a policy, each server has some default
> >policy.  This isn't very clear, and "Policy" is an overloaded word, I'll
> >try to clear this up in another draft in the next few days.
> >
> >For things like what type of verification data to return, where
> there could
> >be lots of different types and different ways of doing it (do you want
> >certificates and/or revocation data or both?  do you want CRLs or OCSP
> >responses or something else?  How recent do you need the
> verification data
> >to be?  Does it need to be time-stamped?)  it seems easier to let the
> >details of this be implicit in the Verification Policy, and just
> have the
> >client say "yes, I want verification data", or "no, I don't".
>
>
> >
> >Trevor
> >
> >
> >You may leave a Technical Committee at any time by visiting
> http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_wor
kgroup.php
>

You may leave a Technical Committee at any time by visiting
http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]