[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [regrep] Vote on version 2.03 - ACTION ITEM
During the first ebXML initiative, lighter-weight authentication (user/password, basic auth ) over SSL was proposed, even for publishing data to the reg/rep, and for the same
reasons Joel suggests here (barriers to
entry).
However, I think that digital signature, while perhaps
not needed for authorization/access purposes, is still
something
that provides evidence that the published information
is at least definitely from the subject
identified
by the distinguished name (according to the certificate
issuer). That "trust" credential in the signature
allows
people using the published info one
check. Possibly some documents need no signature (schemas?);
others
like CPPs or CPA templates would benefit from a
signature. If you are going to make digital signature
optional
(on the publish message and over the published
object), then I think you need to preserve
a
decent "trust story" for the information items in a
repository,
or, failing that, there is an explicit "use at own
risk" flag over object
whose trust claims lack credentials/evidence. CPP
and CPA template signatures themselves, by the
way,
are not mandatory.
Dale Moberg
-----Original Message-----
From: Munter, Joel D [mailto:joel.d.munter@intel.com] Sent: Thursday, June 13, 2002 8:05 AM To: 'Damodaran, Suresh'; 'Oasis Registry TC' Subject: RE: [regrep] Vote on version 2.03 - ACTION ITEM My primary
argument is, "financial and technological barriers to entry." Certificate
acquisition and management are not free and not trivial. From a practical
point, I may choose to make some things that I publish, purely public and dsig
just simply is not required. I want to be able to choose what I
sign. imho Signing entries should be optional. It has been
suggested (by others) that the first two might be reconsidered in the V3
timeframe.
Joel
-----Original Message-----
From: Damodaran, Suresh [mailto:Suresh_Damodaran@stercomm.com] Sent: Thursday, June 13, 2002 7:57 AM To: 'Munter, Joel D'; 'Oasis Registry TC' Cc: Mikula, Norbert H Subject: RE: [regrep] Vote on version 2.03 - ACTION ITEM Joel,
Responses to your security related, "non-typo" type of comments
below.
Regards,
-Suresh -----Original Message-----
From: Munter, Joel D [mailto:joel.d.munter@intel.com] Sent: Wednesday, June 12, 2002 5:45 PM To: 'Oasis Registry TC' <snip>
line
3696:3697: I still believe that this specification should NOT mandate digital
signature for all content per the statement "The
Registry Client has to sign the contents before submission - otherwise the
content will be rejected."
line
3733:3734: I have the same objection to mandating digital signatures on payloads
per the text "This
packaging assumes that the payload is always signed."
[Damodaran, Suresh] What is your rationale behind your objection? line
3876:3877: Should the second occurrence of public key in the following sentence,
"To
validate a signature, the recipient of the signature needs the public key
corresponding to the signer's public key.," actually be private
key? If not then something else seems very awkward about this
sentence.
[Damodaran, Suresh] You are right. It should be "private key." <snip>
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC