W3C home > Mailing lists > Public > www-xkms-ws@w3.org > November 2001

AuthServerInfo question

From: Frederick Hirsch <hirsch@zolera.com>
Date: Wed, 28 Nov 2001 15:09:08 -0500
To: "www-xkms-ws" <www-xkms-ws@w3.org>
Message-ID: <HNEILHLKDJAILJJBNELPKEFFCIAA.hirsch@zolera.com>
I'm not sure I understand the need for AuthServerInfoType in addition to
AuthUserInfoType.

I think the intent is that AuthServerInfoType is used for the client to
authenticate in a request in the case where the server generated the key
pair. Couldn't the client still include a ProofOfPossession in the request
to authenticate once the private key was delivered to the client? If so,
then the AuthUserInfoType could be used for all client authentication to the
server. Alternately, not all elements in AuthUserInfoType are required to be
used.

This would require trusting the server not to distribute the private key
incorrectly - is a concern for non-repudiation the reason for the two type
definitions?

thanks
---
Frederick Hirsch
Zolera Systems, http://www.zolera.com/
Information Integrity, XML Security
Received on Wednesday, 28 November 2001 15:07:29 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 13:51:42 EDT