[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: ISSUE#3: DS:KEYINFO IN SIGNATUREOPTIONS (SIGN REQUEST DISCUSSION)
ISSUE#3: ds:KeyInfo in SignatureOptions
Short description: You include a ds:KeyInfo element within the
root child SignatureOptions.
Short rationale: You contend that "KeySelector" and "Properties" into
"SignatureOptions "represent attempts by the client to control
specific details of what goes in the dsig, so grouping them seemed
appropriate."
My comments and proposal(s):
1.I proposed to change the name to KeySelector based
on the fact that the element would act as a selector
on the keys that the server has to produce signatures, whereas
the ds:KeyInfo in a ds:Siganture element indicates material
that allows to determine the key to be used to verify the
signature... It could even happen that these two elements
could be different!!! in an environment where you select
one key by the name, and the application profile instructs
the server to put the certificate within the ds:KeyInfo, for instance...
In your reply you said that perhaps this could make sense.
2. I propose NOT to put this element in SignatureOptions element.
As I said, "the information of the key that the server has
to use is something crucial to the service, whereas the addition
of properties, the canonicalization method, etc. is something
of a second level of importance: in the end, the key also identifies
the signer!!!."
3, Once said that, then I would find acceptable any of the two
following proposals:
a. To maintain KeySelector and ClaimedIdentity
as separated root children OR
b. To define a new root child element ("RequesterDetails"?)
including both, KeySelector and ClaimedIdentity....the
rationale being that a signing key can also identify the
requester.....
Regards
Juan Carlos.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]