W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2000

Re: Where would the appropriate place to identify a "Role" of a x509d ata subject?

From: Ken Goldman <kgold@watson.ibm.com>
Date: Mon, 10 Jul 2000 10:13:49 -0400
Message-Id: <200007101413.KAA34414@alpha.watson.ibm.com>
To: Lynn_Sites@Equinta.com
CC: w3c-ietf-xmldsig@w3.org
> From: Lynn Sites <Lynn_Sites@Equinta.com>
> Old-Date: Sat, 8 Jul 2000 12:17:01 -0700 
> 
> I am developing a real estate transaction application and need to declare a
> role of a specific signatory to a document, such as Buyer1, Buyer2,
> BuyersAgent, SellersAgent,...  I am wondering where we would declare that,
> as an attribute of the x509Data element , such as a  X509SubjectRole
> element, which would contain an X.509 subject distinguished name role or is
> there another more appropriate location ?
> 
> We will be having structured xml documents which will have specific
> locations enunciated to sign for the various  parties of the transaction.

IMHO, the answer depends upon the higher level security model.  Who
assigns the role?  Who assigns trust in the signer?  What are the
consequences of a forged role?  Who is libel for the consequences?

The way I understand your proposal, you'd assign the role as a KeyInfo
element.

	Question for the list: Does the spec allow application defined
	attributes in KeyInfo.  I don't think so.  Am I missing
	something?

Anyway, why attach something to the certificate element which
presumably has nothing to do with the certificate.  It might be better
to create a wholly separate signed SignerRole element outside the
signature block, with the signer's role, name, address, etc.

OTOH, if it does have something to do with the certificate (the role
is being attested to by the certificate issuer), then it has to be in
the certificate or in some other way signed by the issuer.  Otherwise,
the signer can forge the role.

-- 
Ken Goldman   kgold@watson.ibm.com   914-784-7646
Received on Monday, 10 July 2000 10:13:53 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:10 GMT