[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: What the Registry needs from TRP Security
Krishna, Please see below. Happy holidays, Chris Krishna Sankar wrote: > > Hi, > > Here are the stuff registry needs from the TRP to have an effective > integration. In Chris's words "let the flames begin ..." ;-) > > 1. Authentication - for now means signed headers (I assume). The TRP spec > should have the semantics and syntax how to do this. Then the registry can > say HeaderSignatureRequired in the CPA and use the signature to validate the > identity of the user. > Can we get this by the 0.9 version ? Yes, using XMLDSIG the header and/or payload can be signed. The blah, blah, yadda yadda, yadda in the spec will be fleshed out by the time we cut the version for the POC. > > 1.a. Chris had mentioned that Application Services would be available by > 1.0 - but we need the basics now. I'm not sure I understand... What do you require? > > 2. Submitting organizations (SOs) should sign the content. We might need an > element "PayLoadSignatureRequired" in the CPA for this. This comes from the TP group and is ultimately something required by the BP. However, there is something in the CPA now for this. > > a) Remember this could be different from the authentication > certificates/credentials above. Indeed, but again, when dealing with payload, this is an application issue, not a MSH issue. If a separate signature is required for the payload, then the application, or application services layer should perform the signing. > b) This signature ensures integrity. I'm not sure I understand... that there be a MAC that is signed? > c) This is required not only for the registry but also for the clients who > refer to the content for biz critical apps > d) So the content and the signature will be stored. > e) When a client receives a content(which has the content signature (as > submitted by the SO)as well), it should check the integrity > f) I saw that even the CPP would require a signature for integrity. Yes, it has one as does the CPA. > g) In this context, the TRP would RECOMMEND the semantics and syntax for > signing and encryption. One caution here is that the MSH should give the > content to the Registry along with the signature. If the payload is signed with a MIME-signing scheme (S/MIME) then the MSH most certainly provides the application with the object as well as the signature to do as it sees fit. > h) I agree that the TRP is payload agnostic. So if the method is not > specified, the registry will have to specify. method for what? > i) Also, I know that the three methods (S/MIME,PGP,DSIG) are specified in > the TRP specs and will be more detailed for the 0.9 version. We need that > detail - the syntax/binding) S/MIME is already there. PGP and DSIG will be added after I get back from my ski trip;-) > > cheers
begin:vcard n:Ferris;Christopher tel;cell:508-667-0402 tel;work:781-442-3063 x-mozilla-html:FALSE org:Sun Microsystems, Inc;XTC Advanced Development adr:;;;;;; version:2.1 email;internet:chris.ferris@east.sun.com title:Sr. Staff Engineer fn:Christopher Ferris end:vcard
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC