dss message

Subject: RE: [dss] Re: Indication of Intent / Commitment type

From: Trevor Perrin <trevp@trevp.net>
To: <jmessing@law-on-line.com>, "Dallas Powell" <dpowell@tybera.com>, "OASIS DSS TC" <dss@lists.oasis-open.org>, "Nick Pope" <pope@secstan.com>
Date: Tue, 09 Mar 2004 16:52:31 -0800

At 09:50 AM 3/9/2004 -0500, jmessing wrote:

>In a dss, the username/password can be leveraged into a digital signature 
>by having a method by which a server recognizes a use from the 
>username/password and digitally signs on the user's behalf [...] One way 
>to do this is to have a third party authenticate the user with the 
>username/password and digitally sign an authentication assertion (SAML) 
>which the signature server recognizes.

just to toss in a comment:

TLS/SRP is another good way to use usernames/passwords. The client uses his 
username and password to mutually authenticate with the DSS server and 
establish a secure session.

Of course, if you *want* to use a 3rd-party for authentication, this isn't 
helpful, but if password-based authentication directly with the DSS server 
is what you want, I think that's the best way to go.

Trevor

References:
- RE: [dss] Re: Indication of Intent / Commitment type
  - From: "jmessing" <jmessing@law-on-line.com>