W3C home > Mailing lists > Public > www-ws-arch@w3.org > May 2002

RE: D-AR006.7 discussion points

From: Joseph Hui <Joseph.Hui@exodus.net>
Date: Tue, 7 May 2002 16:17:42 -0700
Message-ID: <45258A4365C6B24A9832BFE224837D551D1BF0@SJDCEX01.int.exodus.net>
To: "Mark Baker" <distobj@acm.org>
Cc: <www-ws-arch@w3.org>
> From: Mark Baker [mailto:distobj@acm.org]
> Sent: Tuesday, May 07, 2002 3:07 PM
> To: Joseph Hui
> Cc: www-ws-arch@w3.org
> Subject: Re: D-AR006.7 discussion points
> 
> 
> On Tue, May 07, 2002 at 02:29:38PM -0700, Joseph Hui wrote:
> > > That is very different than saying that PKI should be 
> used.  The use
> > > of public keys does not require PKI.
> > 
> > D-AR006.7 doesn't say or imply PKI should be used.  Note the mention
> > of KDC there.
> 
> Ok, I meant "KI". 8-) 
> I don't believe we need to require centralization of key storage. 

"KI" it is.  (It doesn't matter to me.  I was nitpicking.)

The req doesn't call for centralization of key storage.
KDC (like Kerberos) approaches work that way.
PKI doesn't -- the public key comes with the certs, e.g. 

The req calls for Key Management. 
The issue at hand is whether it should be in scope.

> I'd prefer a more Web friendly approach of just giving
> each key a URI, and allowing me to GET it (and returning 401 or 403 on
> secret keys, for example).

How dare you mention a mechanism here.  
This is not the place.  Shhhhhhhhhhhh ... ;-). 

Cheers,

Joe Hui
Exodus, a Cable & Wireless service
Received on Tuesday, 7 May 2002 19:17:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 July 2007 12:24:59 GMT