[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [wss] New Issue: Key Identifiers Should Not Be Used for Signatures
> The problem is that the Relying Party has know way of knowing how many > certificates the sender has. Yes. > At a minumum I would say this makes the spec > totally useless for non-repudiation purposes and even doubtful for ordinary > Authorization. I don't see it. Are you saying the private key under CertA might be protected differently than the same private key under CertB? What prevents me (or an adversary who cracked my PIN) from using the "A" version to include CertB? I also don't see the authorization aspect at all. DSIG shouldn't be used for anything other than content integrity, right? /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]