Re: [ebxmlms-develop] Enhancement request - determining message signer

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
 <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
 <title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
Peter, 
 
Your worry is very true. Thank you for pointing this out. How do you
expect to fix that? I mean, what are the methods to be added, in your
opinion? 
 
Regards, -Patrick 
 
 
Mayne, Peter wrote: 
<blockquote type="cite"
 cite="mid...@s-...">
 <meta content="text/html; " http-equiv="Content-Type">
 <meta content="MS Exchange Server version 5.5.2654.45"
 name="Generator">
 <title>Enhancement request - determining message signer</title>
 I'd like to request an enhancement to Hermes in the
message signing area.
 
 Currently, after a message has arrived, it is easy
to tell if a message is signed or not, but it isn't as easy to tell who
signed it.
 For instance, suppose I have two business partners,
A and B. A creates a message (a million dollar purchase order, for
example) that looks like it comes from B, signs it, and sends it.
Hermes accepts it, because the message is correctly signed. I look at
the message, see that it appears to come from B, and since it is
signed, assume that it does in fact come from B, and therefore invoice
B for a million dollars.
 Since there is no obvious way of telling that it
was not B who signed the message, I have incorrectly assumed that the
message came from, and was signed by, B.
 An obvious adjunct to this is being able to easily
validate any given signed message. It would be good if the Hermes
client library provided a convenient API to validate the signature of a
message. If I need to do that at the moment (because one of my partners
is trying to repudiate a message), I have to do it manually using the
excellent CECID verifier, rather than just asking Hermes to validate
the message using its existing validation facilities.
 If I'm missing something, and I can already do
these things, please let me know.
 
 Thanks.
 
 PJDM
 
 -- 
 
 Peter Mayne
 
 Technology Consultant
 
 Spherion Technology Solutions
 
 Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602
 
 T: 61 2 62689727&nbsp; F: 61 2 62689777
 

 The
information contained in this email and any attachments to it:
 (a) may
be confidential and if you are not the intended recipient, any
interference with, 
use, disclosure or copying of this material is unauthorised and
prohibited; and
 (b) may
contain personal information of the recipient and/or the sender as
defined 
under the Privacy Act 1988 (Cth). Consent is hereby given by the
recipient(s) to 
collect, hold and use such information and any personal information
contained in a 
response to this email, for any reasonable purpose in the ordinary
course of 
Spherion's 
business, including forwarding this email internally or disclosing it
to a third party. All 
personal information collected by Spherion will be handled in
accordance with 
Spherion's Privacy Policy. If you have received this email in error,
please notify the 
sender and delete it.
 (c) you
agree not to employ or arrange employment for any candidate(s) supplied
in 
this email and any attachments without first entering into a
contractual agreement with 
Spherion. You further agree not to divulge any information contained in
this document 
to any person(s) or entities without the express permission of Spherion.
</blockquote>
 
</body>
</html>