RE: [dss] "Required" Designation on SignatureObject within VerifyRequest

[Trevor Perrin <trevp@trevp.net>]

At 10:45 PM 4/16/2004 -0400, Edward Shallow wrote:
>You are missing the point. Are you saying that profiles are categorically
>restricted from pursuing scenario-specific support of multiple signature
>verification ?

Not necessarily.  We support time-stamped signatures for example, which are 
similar to counter-signed signatures.

As long as there's a single main signature, profiles are welcome to add 
other stuff.  Support for counter-signed signatures would be a good idea 
for the core or XAdES profile.

However, changing the verify protocol so it can verify multiple *main* 
signatures is a big deal: you'd need to change or disallow all the core 
options, define entirely new result codes, change the processing rules, and 
omit the <SignatureObject>.

In my opinion, profiles shouldn't have this much flexibility.  Profiles 
should constrain and extend the core, not redefine it.  So if we want this 
functionality I think we should add it to core.  Loosening the core syntax 
so that profiles can do whatever they want is a recipe for chaos.


Anyways, this dicussion touched on a few possible features:
  a) counter-signatures  (or other "subsidiary" signatures)
  b) ability for client to not send <SignatureObject>
  c) ability to verify multiple signatures in a single call

I think (a) would be the easiest, (c) would be the hardest.  If you would 
be happy with (a) or (b) then perhaps we should focus on that.


Trevor