W3C home > Mailing lists > Public > www-xkms@w3.org > August 2002

RE: transaction specific policies

From: Daniel Ash <Daniel.Ash@identrus.com>
Date: Wed, 21 Aug 2002 08:33:12 -0400
Message-ID: <2B55DABB95C4D4119C1300508BD953F1A1AAF8@BLUE01>
To: "'Stephen Farrell '" <stephen.farrell@baltimore.ie>
Cc: "''www-xkms@w3.org ' '" <www-xkms@w3.org>, "'reagle@w3.org '" <reagle@w3.org>
Many Policy Identifiers will likely be the shared across multiple providers.
So a policy URI would probably be more suitable.

A URI would cover the transaction policy.  The key policy might be important
in a certificateless scheme, but no such scheme exists yet... so we can let
that go for now.     

I can draft a description of transaction policy, and how it can be used to
give meaning to 'validate', if someone else can deal with where to put it
and the xml.  

As for "unbelievable stuff" being embedded, i would be more worried about
elements like 'ProcessInfo', and 'UseWith'.  these are loosely defined and
left open for extensibility (for what?).

-dan

-----Original Message-----
From: Stephen Farrell
To: reagle@w3.org
Cc: Daniel Ash; 'www-xkms@w3.org '
Sent: 8/21/02 6:15 AM
Subject: Re: transaction specific policies


From memory, don't we have the service URL in the request and
(perhaps munged) in the response already (for security reasons)?

So isn't that enough of a policy identifier?
If you say "yes", I'm happy. 

This does mean though that there's no way that a client could
indicate (in a standard fashion) things like the transaction
amount to the server. I think that's the right approach, but
want to be sure we're clear. (The reason I'm going on about
this is that I've seen projects where the most unbelieveable
stuff was being passed about using OCSP, which for a PKI product
vendor, is a PITA;-)

Stephen.

Joseph Reagle wrote:
> 
> On Tuesday 20 August 2002 02:11 pm, Daniel Ash wrote:
> > i would suggest for xkms to say less (nothing) about the format and
> > meaning of a policy than x509.  maintain the ability to bind policy
to a
> > key (for PKIs that don't use certificates).  and to add the
capability to
> > bind policy to a transaction (cert or certless PKIs).  identifiers
only.
> 
> I agree. Presently it is ambigous as to what the meaning of a
validation
> means, and if there is an identifier associated with the transaction
it is
> no longer ambigous -- even if the definition itself is out of scope.

-- 
____________________________________________________________
Stephen Farrell         				   
Baltimore Technologies,   tel: (direct line) +353 1 881 6716
39 Parkgate Street,                     fax: +353 1 881 7000
Dublin 8.                mailto:stephen.farrell@baltimore.ie
Ireland                             http://www.baltimore.com
Received on Wednesday, 21 August 2002 08:33:32 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:31:39 UTC