W3C home > Mailing lists > Public > www-xkms@w3.org > August 2002

RE: More Comments on Aug 1 Spec

From: Hallam-Baker, Phillip <pbaker@verisign.com>
Date: Tue, 27 Aug 2002 14:29:33 -0700
Message-ID: <2F3EC696EAEED311BB2D009027C3F4F40DB8A838@vhqpostal.verisign.com>
To: "Dournaee, Blake" <bdournaee@rsasecurity.com>, www-xkms@w3.org

> Why then, does Bob use "KeyValue" as a <RespondWith> value? 
> The example
> assumes he already has the capability to parse the X.509 
> certificate to
> extract the public key. If he has the key already, why does 
> he need the
> service to give it back to him? He has already performed cryptographic
> signature verification.

Hmm, well spotted there.....

A possible reason could be that Bob is excessively paranoid and wants
to tie the response back to the actual signing key on the document,
removing the certificate from the equation...

> Also, it should be made clear in this example the nature of 
> the certificate
> chain. Is the chain terminated with a self-signed CA 
> certificate or does the
> minimal chain in the example end with an Intermediate CA 
> certificate? If so,
> how does the service know which certificate to check if 
> neither cert is
> self-signed? And if the chain is terminated with a 
> self-signed certificate,
> why can't the client trust this chain implicitly (as long as 
> it trusts the
> top of the root) and not bother with the service request at all?

Actually it is a self signed root, however the point is that only
the service needs to worry about that issue which would be a PKIX 
one in any case.

Received on Tuesday, 27 August 2002 17:28:08 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:31:39 UTC