RE: [dss] Bindings

["Nick Pope" <pope@secstan.com>]

Do we need to put it in a separate document for the bindings or could it be
in the core or repeated as approprioate in the profiles?

Also, I suggest that the profiles include a high level statement of what
security services are required from the underlying services.

Nick



> -----Original Message-----
> From: Trevor Perrin [mailto:trevp@trevp.net]
> Sent: 27 January 2004 22:39
> To: Nick Pope; OASIS DSS TC
> Subject: Re: [dss] Bindings
>
>
> At 09:46 PM 1/27/2004 +0000, Nick Pope wrote:
>
> >I would like to highlight one issue which I not sure how it is being
> >addressed:
> >
> >Bindings to underlying protocols and the security requirement of the
> >underling service.
> >
> >I believe that this specifics of the bindings are best specified in the
> >profile but should be common as far as possible across the profiles.
>
> I agree.
>
>
> >One way to start is to put some text in the time-stamp profile
> and then use
> >this as the basis for bindings in the other profiles.
>
> The time-stamping profile draft [1] has something like that:
> """
> 2.1  Transport and Security Bindings
> This profile is transported using the SOAP-over-HTTPS binding of DSS
> defined in ???.  The client MUST authenticate the server and validate the
> server's X.509 certificate chain.  The server MAY authenticate the client.
> """
>
> I was thinking of starting a Bindings Document, that we could reference
> from the "???".  I would start it off with HTTP POST and TLS
> bindings, and
> then if someone else wants to add bindings for SOAP or WS-Security, they
> could do so.
>
> Is that the sort of approach you were thinking of?
>
> Trevor
>
>
> [1]
> http://www.oasis-open.org/apps/org/workgroup/dss/download.php/5121
/oasis-dss-1.0-timestamping-profile-spec-wd-02.pdf