5.4.1 Overview
Determining the authenticity of a RIN message, and thus being able to judge the reliability of the data it contains, is a crucial element of handling of RIN messages. This can be achieved by:
Identifying the device or software application that was used to generate a RIN message;
Identifying the user that triggered the generation of the RIN message;
Identifying on whose behalf the RIN message was generated; and
By digitally signing a RIN message.
The process of signing a RIN message is done in accordance with IETF RfC 3275 (XML-Signature Syntax and Processing).
Before signing a RIN message, the sending RIN processor needs to be in possession of the private key of the party signing the message. Similarly, before evaluating the signature of a RIN message it has received, the recieving RIN processor needs to be in possession of the public key of the party that signed the message. The process by which these private and public keys are generated and distributed/shared is out of scope for this standard.