[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: ISSUE#3: DS:KEYINFO IN SIGNATUREOPTIONS (SIGN REQUEST DISCUSSION)
ISSUE#3: ds:KeyInfo in SignatureOptions Short description: You include a ds:KeyInfo element within the root child SignatureOptions. Short rationale: You contend that "KeySelector" and "Properties" into "SignatureOptions "represent attempts by the client to control specific details of what goes in the dsig, so grouping them seemed appropriate." My comments and proposal(s): 1.I proposed to change the name to KeySelector based on the fact that the element would act as a selector on the keys that the server has to produce signatures, whereas the ds:KeyInfo in a ds:Siganture element indicates material that allows to determine the key to be used to verify the signature... It could even happen that these two elements could be different!!! in an environment where you select one key by the name, and the application profile instructs the server to put the certificate within the ds:KeyInfo, for instance... In your reply you said that perhaps this could make sense. 2. I propose NOT to put this element in SignatureOptions element. As I said, "the information of the key that the server has to use is something crucial to the service, whereas the addition of properties, the canonicalization method, etc. is something of a second level of importance: in the end, the key also identifies the signer!!!." 3, Once said that, then I would find acceptable any of the two following proposals: a. To maintain KeySelector and ClaimedIdentity as separated root children OR b. To define a new root child element ("RequesterDetails"?) including both, KeySelector and ClaimedIdentity....the rationale being that a signing key can also identify the requester..... Regards Juan Carlos.