OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [wss] New Issue: Key Identifiers Should Not Be Used for Signatures


> > Thomas is right, I didn't realize it, but the link from the
> signature to the
> > token is in KeyInfo which appears in <Signature> but not in
> <SignedInfo>.
> > This looks like a huge hole to me. Can somebody tell me I am wrong?
>
> Huge seems overstating; I'd say minor, if any adjective is called
> for at all.
> How many times do you get the same keypair certified
> for different uses?  Common practice says to have separate keys
> for signing
> and encryption, even.

The problem is that the Relying Party has know way of knowing how many
certificates the sender has. At a minumum I would say this makes the spec
totally useless for non-repudiation purposes and even doubtful for ordinary
Authorization.

Hal

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]