[QTI] assessments and digital signatures

Steve Lay swl10 at cam.ac.uk
Wed Jun 18 12:00:23 BST 2008

Previous message: [QTI] assessments and digital signatures
Next message: [QTI] QTI2 list of xsd
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I haven't heard of anyone solving this issue in content packaging.  The 
WS discussion seems to have centred around securing the end-points of 
the communications channel in the transaction rather than providing a 
more persistent security feature of the packages being exchanged.

So you may have an open field to implement the most appropriate solution 
for you.

As the package is the basic data stream that will be moved around it 
makes sense to make sure that your signature mechanism can be used to 
generate a file inside the package that is robust to packaging and 
repackaging (so doesn't depend on resource IDs in the manifest).

To make sure that the signature travels with the package though you'll 
need to add a reference to it in the manifest.  I'm not sure what 
resource type you would need to set for it though.  You probably want 
the resource type to indicate that the resource is a signature.

If I hear different, I'll report back to the list.

Steve

Armin Blawitzki wrote:
> Hello,
> 
> I want to draft an extension for the imsqti conform deliveryengine onyx (http://onyx.bps-system.de/) that uses digital signatures to guarantee that neither the QTI conform content packages nor the answers given by students were altered.
> 
> Some references to the use of signatures could be found in the specifications for "General Web Services". Which refer to the WS Security guidelines. These guidelines finally use the W3C specifications to sign XML documents.
> 
> I'm not sure how to interpret the specifications in "General Web Services". Should I deduce that I could include the (W3C conform) signatures into the ims manifest or even the xml files defining i.e. the assessmentTest or items ? In this case it's possible to save and secure the content packages with their signatures.
> Or should this be interpreted merely as a way to secure a SOAP message which contains the content package as one of it's elements ? In that case the signature could only secure the transport of the content package. But to safe the signature apart from the CP seems pretty circumstiantial and insecure to me.
> 
> Armin Blawitzki
> 
> _______________________________________________
> IMS-QTI mailing list
> IMS-QTI at lists.ucles.org.uk
> http://lists.ucles.org.uk/lists/listinfo/ims-qti

Previous message: [QTI] assessments and digital signatures
Next message: [QTI] QTI2 list of xsd
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the IMS-QTI mailing list