Re: [ebxmlms-develop] CertResolver questions

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
  <title></title>
</head>
<body>
<blockquote type="cite"
 cite="mid...@s-...">
  <div><font face="Arial" size="2"><span class="402203306-06062003">(I
presume you meant "public key", not "private key".)</span></font></div>
  <div><font face="Arial" size="2"><span class="402203306-06062003"></span></font></div>
</blockquote>
<br>
Oops.. you are right. :-)<br>
<br>
<blockquote type="cite"
 cite="mid...@s-...">
  <div>&nbsp;<font face="Arial" size="2"><span class="402203306-06062003">How
would client A trigger the CertResolver to use client A's key? If the
message appears to come from client B, the resolver should return
client B's key, and therefore the message won't verify. If the
resolver returned A's key for a message that appeared to come from B,
it would be a very bad resolver.</span></font></div>
</blockquote>
It depends on which part in the EbxmlMessage is used. It is dangerous
to use ToPartyID alone.<br>
<br>
<blockquote type="cite"
 cite="mid...@s-...">
  <div><font face="Arial" size="2"><span class="402203306-06062003">An
SSL client certificate would not always be sufficient for resolving
the message sender. Imagine a university that has multiple departments
which sign their own messages with their own keys, but all of the
messages are sent to a supplier through a single university-wide
message handler using its own client certificate. </span></font></div>
</blockquote>
Agree.<br>
<br>
<blockquote type="cite"
 cite="mid...@s-...">
  <div><font face="Arial" size="2"><span class="402203306-06062003">In
fact, it wouldn't really make sense to use a client certificate anyway:
if the message is signed, then the sender's public key should be
freely available, and therefore cached locally anyway.</span></font></div>
</blockquote>
I am not sure about your meaning. At least, I think using DSig and
SSL-Client Cert are independent issues.<br>
<br>
<blockquote type="cite"
 cite="mid...@s-...">
  <div><font face="Arial" size="2"><span class="402203306-06062003"></span></font>&nbsp;</div>
  <div><font face="Arial" size="2"><span class="402203306-06062003">Using
remote addresses is definitely not a good idea.</span></font></div>
  <div><font face="Arial" size="2"><span class="402203306-06062003"></span></font>&nbsp;</div>
  <div><font face="Arial" size="2"><span class="402203306-06062003">I'm
not sure about the current ordering of the resolving ("first use the
resolver, then look in the message"). I had it as "look in&nbsp;the
message: if it isn't there then use the resolver". How come you did it
that way?</span></font></div>
</blockquote>
Need to check code. It seems to me that it is hard to find a perfect
key for resolving cert...<br>
<br>
-Patrick
</body>
</html>