[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: What the Registry needs from TRP Security
Hi, Here are the stuff registry needs from the TRP to have an effective integration. In Chris's words "let the flames begin ..." ;-) 1. Authentication - for now means signed headers (I assume). The TRP spec should have the semantics and syntax how to do this. Then the registry can say HeaderSignatureRequired in the CPA and use the signature to validate the identity of the user. Can we get this by the 0.9 version ? 1.a. Chris had mentioned that Application Services would be available by 1.0 - but we need the basics now. 2. Submitting organizations (SOs) should sign the content. We might need an element "PayLoadSignatureRequired" in the CPA for this. a) Remember this could be different from the authentication certificates/credentials above. b) This signature ensures integrity. c) This is required not only for the registry but also for the clients who refer to the content for biz critical apps d) So the content and the signature will be stored. e) When a client receives a content(which has the content signature (as submitted by the SO)as well), it should check the integrity f) I saw that even the CPP would require a signature for integrity. g) In this context, the TRP would RECOMMEND the semantics and syntax for signing and encryption. One caution here is that the MSH should give the content to the Registry along with the signature. h) I agree that the TRP is payload agnostic. So if the method is not specified, the registry will have to specify. i) Also, I know that the three methods (S/MIME,PGP,DSIG) are specified in the TRP specs and will be more detailed for the 0.9 version. We need that detail - the syntax/binding) cheers
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC