Re: [dss] Re: OASIS Digital Signature Services TC announcement

[Juan Carlos Cruellas Ibarz <cruellas@ac.upc.es>]

Trevor,

I agree with you, and I think that also Peter agrees with you,
according to one mail that he has sent to me.
I have adviced him to use the public comments list to address 
these issues.

Juan Carlos.

This is his text:
>The question is not who the server gets access based on some
>reference, but how does the client and maybe an enduser selects
>among several keys, or claimedIdentities,
>
>in the mapping from user to claimedidentity to key to there is
>at least (or exactly one) n-1 mapping, for example.
>
>user has n identities.
>each identity, well here, one could ysa, has one active certificate for
signing,
>a certificate then references one key.
>
>I guess a small profile from SAML can be used to list all the
>claimeIdentities available to a user. 
>
>I have a student here who is currently doing an SRP-TLS inside
>openssl as the last part of a PKCS11 implementation that
>uses a remote usage of keys, etc. Currently it is a small
>protocol based simply on asn1 (since this is easy with openssl.)
>
>I think I know what to do for the next student :-)

-------------------------------
At 14:42 08/07/2004 -0700, Trevor Perrin wrote:
>
>>At 16:47 08/07/2004 +0200, Peter Sylvester wrote:
>> >hello,
>> >
>> >I have a question about this text. I may ahve overlooked
>> >it. How would a client detect which keys it can use to
>> >sign?
>
>Hi Peter, Juan Carlos -
>
>If I understand the question: DSS doesn't specify a way for the client to 
>"query" a DSS server, and figure out which certificates/keys the server is 
>capable of signing with.
>
>We assume the client can either find these out through some other means, or 
>else trusts the server to select the key/certificate.
>
>Trevor 
>