This went to the list some time back, it is the Request Signature value
repeated in the response.
This means that you have a strong binding from the request to the
response, even if the service does not authenticate the request properly
the client knows that the response corresponds to the request.
The request 'signature' algorithm could be SHA-1 so this need not be
major protocol overhead.
<!-- ResultAbstractType -->
<complexType name="ResultAbstractType" abstract="true">
<complexContent>
<extension base="xkms:MessageAbstractType">
<sequence>
<element ref="xkms:RequestSignatureValue" minOccurs="0"/>
</sequence>
<attribute name="ResultMajor" type="QName" use="required"/>
<attribute name="ResultMinor" type="QName" use="optional"/>
<attribute name="RequestId" type="anyURI" use="required"/>
</extension>
</complexContent>
</complexType>
<!-- /ResultAbstractType -->
> -----Original Message-----
> From: Joseph Reagle [mailto:reagle@w3.org]
> Sent: Wednesday, February 05, 2003 1:51 PM
> To: Hallam-Baker, Phillip; stephen.farrell@baltimore.ie
> Cc: www-xkms@w3.org
> Subject: Re: Serving static responses
>
>
> On Wednesday 05 February 2003 13:27, Hallam-Baker, Phillip wrote:
> > It is not a particularly strong mechanism, in particular it
> is not at
> > all secure if the request is not authenticated which is why we have
> > introduced the strong binding to the request by means of the request
> > signature repeater.
>
> (What's the "request signature repeater"?)
>