[rus-wg] RUS Specification - non-repudiation
Jon MacLaren
maclaren at cct.lsu.edu
Wed Apr 6 09:58:02 CDT 2005
On Apr 6, 2005, at 8:14 AM, Steven Newhouse wrote:
>> ...
>> Would it be better to store a digitally signed request?
>
> All incoming messages are digitally signed using WS-Security by the
> client, so the entity contributing the record is identified. This is
> implied but not explicit.
I don't think that's what Sven meant. The WS-Security signature may
well be used (the spec doesn't and shouldn't say how this is done - for
example, at Manchester, they sometimes used transport level security
instead), but this signature is not stored with the message, which I
believe is the thing Sven was driving at.
> Q: Is that an implementation detail or something that needs to be
> clarified in the specification? The spec. states the use of digital
> signatures to record identitiy, it does not mandate how they are
> obtained (at present) from the client.
No, I don't think the spec should say things like "you must use
WS-Security".
If, however, you wanted to say that part of the message should be
signed in the XML, say using XML signature (and provide methods for
inspecting this later) then that would be within scope. Because the
format of the messages (and operations) are within scope.
Jon.
More information about the rus-wg
mailing list