Question regarding the signature
chaodhib opened this issue · 0 comments
chaodhib commented
Hi,
The spec mentions 3 endpoints: discovery, status and requests (the endpoint to submit a new DSR) . Then there is the callback coming from the data processor to the data controller.
The requests and status endpoints both provide a header X-OpenDSR-Signature in the response. My question are:
-
What is the purpose of that signature in the response of these 2 endpoints? Is it about accountability/auditing purposes?
- I would assume that preventing a MITM attack would be done by other means (during the TLS handshake, checking that the certificate provided by the data processor is valid, signed by a trusted CA & that the domain matches). Is that correct?
-
Should the controller validate those signatures (the same way it should validate the signature in the callback)? This is unclear in the spec as far as I am aware.
Thank you!