> If the client initially trusts a root rather than a response signing > key from an XKMS service, won't we need to add some authentication > model for XKMS response signing keys that's analgous to that of OCSP? We probably have to do something; XKMS certs "buried in the browser" is clearly a bad way to move forward. Yet requiring a PKIX bootstrap to validate an XKMS server is equally bad. Barring some flash of insight over the next few months, I expect the best we can do is leave it to our old friend "out of band" /r$ -- Zolera Systems, Your Key to Online Integrity Securing Web services: XML, SOAP, Dig-sig, Encryption http://www.zolera.comReceived on Thursday, 29 November 2001 10:53:40 EST
This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 13:51:43 EDT