RE: [security-services] Metadata for 1.1 Web Browser SSO Profile, Draft 06, 1 May 2003 - Scott Cantor - org.oasis-open.lists.security-services

8 messages in org.oasis-open.lists.security-servicesRE: [security-services] Metadata for ...

From	Sent On	Attachments
Tim Moses	Jul 8, 2003 7:38 am
Scott Cantor	Jul 9, 2003 8:03 am
Tim Moses	Jul 9, 2003 12:11 pm
Jahan Moreh	Jul 9, 2003 12:19 pm
Tim Moses	Jul 9, 2003 12:57 pm
Fred...@nokia.com	Jul 10, 2003 7:05 am
Jahan Moreh	Jul 10, 2003 7:59 am
Tim Moses	Jul 11, 2003 12:49 pm

Subject:	RE: [security-services] Metadata for 1.1 Web Browser SSO Profile, Draft 06, 1 May 2003
From:	Scott Cantor (cant...@osu.edu)
Date:	Jul 9, 2003 8:03:30 am
List:	org.oasis-open.lists.security-services

In the case where the key distributed with the metadata is a public signature-verification key, it is acceptable, desirable and conventional to sign the metadata using the corresponding private key. This is common practice for X.509 certificates. In addition, it allows the integrity of the metadata to be confirmed using an out-of-band "digest".

It shouldn't be mandatory to use the same key, since that basically only permits point to point trust.

As currently required, the integrity of the metadata has to be protected with a separate key. Presumably, it too has associated metadata that has to be distributed, protected with another key, which (in-turn) has metadata. Allowing the enclosed key to confirm the integrity of the metadata, breaks this cycle.

PKI always has an arbitrary stopping point somewhere. It's ok to allow it to be self-signed, but we shouldn't insist on it.

Here is a suggestion for a digest procedure:

Umm, why not XML signature?

-- Scott

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets