[rus-wg] RUS Specification - non-repudiation
Steven Newhouse
sjn5 at doc.ic.ac.uk
Wed Apr 6 08:14:02 CDT 2005
Hi Sven,
> Non-repudiation is listed as a requirement for the UR storage, but is just
> logging names and dates sufficient? E.g. I could repudiate by questioning
> the quality of the implementation.
As stated in section 6 there is already a trust relationship between the
service provider (where the RUS record is generated) and the entity
running the RUS on behalf of the VO. With such a trust relationship
already in place questioning the implementation is out of scope - if you
did not trust the implementation you would not be contributing records
to it at all.
> Would it be better to store a digitally signed request?
All incoming messages are digitally signed using WS-Security by the
client, so the entity contributing the record is identified. This is
implied but not explicit.
Q: Is that an implementation detail or something that needs to be
clarified in the specification? The spec. states the use of digital
signatures to record identitiy, it does not mandate how they are
obtained (at present) from the client.
Steven
--
----------------------------------------------------------------
Dr Steven Newhouse Tel:+44 (0)2380 598789
Deputy Director, Open Middleware Infrastructure Institute (OMII)
Suite 6005, Faraday Building (B21), Highfield Campus,
Southampton University, Highfield, Southampton, SO17 1BJ, UK
More information about the rus-wg
mailing list