OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wss] New Issue: Key Identifiers Should Not Be Used for Signatures

> The problem is that the Relying Party has know way of knowing how many
> certificates the sender has.


 > At a minumum I would say this makes the spec
> totally useless for non-repudiation purposes and even doubtful for ordinary
> Authorization.

I don't see it.  Are you saying the private key under CertA might be 
protected differently  than the same private key under CertB?  What 
prevents me (or an adversary who cracked my PIN) from using the "A" 
version to include CertB?

I also don't see the authorization aspect at all.  DSIG shouldn't be 
used for anything other than content integrity, right?

Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]