- From: <tgindin@us.ibm.com>
- Date: Fri, 29 Oct 1999 17:18:45 -0400
- To: XML-DSIG <w3c-ietf-xmldsig@w3.org>
Is there agreement that the equivalent of PKCS-7 or CMS authenticated
attributes go into SignatureProperties? I do think that the equivalents of
CMS authenticated attributes are very valuable in signing applications. In
particular, in something like a notary service, the most natural form for
an "attestation" by a witness is a CMS authenticated attribute. An example
of what I mean would be something like the following:
A) An American notary (no extra legal powers) checks the photographic ID
of the customer who wants a signature notarized.
B) Today, the notary adds the details of the ID to a large bound book
which is kept under lock and key.
C) In CMS or PKCS-7, the natural thing to do would be to add an
authenticated attribute for "checked driver's license" or "checked
passport" to the base of the notary's signature, with a value containing,
among other things, "common name", "issuing jurisdiction", "serial number",
and "validity period". Losing this capability in XML signing would not,
IMHO, be a good thing.
The notary's signature would be applied to the base document, to the
customer's signature, to the signing time, and to the attestations
together.
Tom Gindin
Received on Friday, 29 October 1999 17:20:21 UTC