RE: Validation of signatures? from Hallam-Baker, Phillip on 2002-06-05 (www-xkms@w3.org from June 2002)

From: Hallam-Baker, Phillip <pbaker@verisign.com>
Date: Wed, 5 Jun 2002 09:12:57 -0700
To: Ed Simon <edsimon@xmlsec.com>, stef.hoeben@utimaco.be
Cc: www-xkms@w3.org
Message-ID: <2F3EC696EAEED311BB2D009027C3F4F40C6F7396@vhqpostal.verisign.com>

XKMS would not be a good protocol as presently written since you would need
to implement XML signature to delegate the signature verification...

Such a protocol would need to profile XML signature, e.g. use detached sigs
in SOAP headers a la ws-security to provide value.

I don't think that such a protocol is an XKMS protocol but given the way the
term came together I could well imagine that XKMS would become a moniker for
key related trust services and a delegated signature verification protocol
being proposed as one more subsystem.

Incidentally I see more of a need for delegated signature ops than
verification ops. I can think of many instances in which you would delegate
the sig to a secure hardware signing box but not want the signing box to run
the whole application. 

Regardless, such issues currently out of scope.

		Phill

> -----Original Message-----
> From: Ed Simon [mailto:edsimon@xmlsec.com]
> Sent: Wednesday, June 05, 2002 9:29 AM
> To: stef.hoeben@utimaco.be
> Cc: www-xkms@w3.org
> Subject: Re: Validation of signatures?
> 
> 
> 
> XKMS is for key-centric operations and is not intended to 
> support either
> core or extended processing of XML Signatures (beyond 
> retrieving and/or
> validating the public key in question).
> 
> XML Signature Toolkits support the core validation processing 
> defined in the
> XML Signature specification.  It should certainly be feasible for
> applications to supplement these Toolkits with features like 
> time-stamp
> checking and so on.  As well, XKMS could be used as the basis for such
> things as "checking if a cert is valid some time ago" though 
> I can't say if
> that type of functionality would necessarily be provided by 
> an XKMS service
> provider.
> 
> Regards, Ed
> 
> ----- Original Message -----
> From: <stef.hoeben@utimaco.be>
> To: <pbaker@verisign.com>
> Cc: <www-xkms@w3.org>
> Sent: Wednesday, June 05, 2002 2:45 AM
> Subject: Validation of signatures?
> 
> 
> >
> > Hello,
> >
> > is it possible (or does it make sense) to validate an (XML) 
> signature
> > with an XKMS validate request?
> >
> > The docs talk about validation of certs, keys, key names, 
> ... but not
> > of an entire signature.
> >
> > The reason is that validation of a signature may be much harder then
> > verifying the signature with a cert and then using an XKMS validate
> > request to validate the cert.
> >
> > For example, ETSI's Advanced Electronic Signatures that remain
> > valid over long periods uses o.a. timestamps as an extension.
> > This allows you to check if a such a signature was valid 
> some time in
> > the past, but it requires time stamp checking and checking 
> if a cert is
> > valid some time ago.
> >
> > Kind regards, sorry if this is off-topic,
> > Stef
> >
> > ETSI's Advanced Electronic Signatures:
> > - XML Advanced Electronic Signatures (XAdES),
> >  http://portal.etsi.org/sec/el-sign.asp#TS 101 903
> > - the PKCS7-based counterpart: TS 101 703,
> >  http://portal.etsi.org/sec/el-sign.asp#TS 101 733
> >
> >
> 
>

Received on Wednesday, 5 June 2002 12:11:48 UTC