[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss] New Issue: Key Identifiers Should Not Be Used for Signatures
> > Thomas is right, I didn't realize it, but the link from the > signature to the > > token is in KeyInfo which appears in <Signature> but not in > <SignedInfo>. > > This looks like a huge hole to me. Can somebody tell me I am wrong? > > Huge seems overstating; I'd say minor, if any adjective is called > for at all. > How many times do you get the same keypair certified > for different uses? Common practice says to have separate keys > for signing > and encryption, even. The problem is that the Relying Party has know way of knowing how many certificates the sender has. At a minumum I would say this makes the spec totally useless for non-repudiation purposes and even doubtful for ordinary Authorization. Hal
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]