[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [wss] Proof-of-Possession
Colleagues, In order to help us solidify what we mean by proof of
possession, I have prepared the following list of lines from the specs that
talk about proof of possession and have then made some observations on the
consistency of those lines. Core: 208 Proof-of-Possession
- Proof-of-possession is authentication data that is provided with a 209 message to
prove that the message was sent and or created by a claimed identity. 210 Signature - A
signature is a cryptographic binding between a proof-of-possession and a digest. 215 Signature - A
signature is a cryptographic binding between a proof-of-possession and a digest. 248 security token) to the messages they create. A signature
created by a message sender to 249 demonstrate
knowledge of an authentication key is referred to as a Proof-of-Possession and may 250 serve as a
message authenticator if the signature is performed over the message. 478 This
specification does not dictate if and how subject confirmation must be done,
however, it does 479 define how
signatures can be used and associated with security tokens (by referencing them
in 480 the
signature) as a form of Proof-of-Possession 1494 When digital signatures are used for verifying the
identity of the sending party, the sender must 1495 prove the possession of the private key. One way to
achieve this is to use a challenge-response 1496 type of protocol. Such a protocol is outside the scope
of this document. 1497 To this end, the developers can attach timestamps,
expirations, and sequences to messages. Binding Documents: 3 .4 Proof-of-Possession
of Security Tokens Observations: 210/215 say that a signature is a binding
BETWEEN a proof-of-possession and a digest, but 248-250 and 478-480 say that a
signature IS a proof-of-possession. 1494-1497 talk about proof of possession of a KEY, but the
bindings have headings for proof of possession of SECURITY TOKENS and lines
208-209 talk about proof that a message was sent and or created by a claimed IDENTITY. In resolving the above two observations, it may also help to
consider whether, in 208-209 (“sent and or created”), we really
mean “sent, created, or both sent and created” or just “created”
or just “sent and created” or “created and intended” or
something else. &Thomas. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC