W3C home > Mailing lists > Public > www-xkms@w3.org > December 2002

Re: Changelog #2

From: Slava Galperin <slava.galperin@sun.com>
Date: Wed, 11 Dec 2002 13:57:52 -0800
Message-ID: <3DF7B4E0.D7D0756@sun.com>
To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
CC: "Www-Xkms (E-mail)" <www-xkms@w3.org>
The top 3 remaining issues are :

1. More connective stuff is needed to explain ID model for KeyBinding
(see @1(2.29,3.31, 3.33, 3.38))
   For example,  I am still unclear if one can use ID as a stable
identifier for a distinct persistent KeyBinding object or is it just a
transient message-scoped value used just to reference XML element from a
signature block of the same protocol message. I am afraid that different
implementations may end up assuming different interpretations which will
impede interoperability.

2. Define matching rules for <QueryKeyBinding> when multiple
<UseKeyWith> or <PolicyIdentifier>or <KeyUsage> are used (see
@1(2.20,2.30))

3. Address a potential request substitution vulnerability stemming from
the fact that XKRSS request type is not part of the signature scope of
KeyBindingAuthentication which allows one to transform certain forms of
ReissueRequest, RevokeRequest and RecoverRequest into each other (see
@1(3.35))

References
@1= http://lists.w3.org/Archives/Public/www-xkms/2002Nov/0037.html

Some other item-specific comments are interspersed below.

"Hallam-Baker, Phillip" wrote:

> 1.2 Deferred, should put detailed error into the SOAP binding return.
>

Are we envisioning support for bindings other than SOAP in the future ?
Is it convenient to get reason code from the payload and error details
from the envelope ?


> 1.9, 1.10 Added in some clarifying text:The request resulted in the
> number of responses that exceeded either  the ResponseLimit value
> specified in the request or some other limit determined by the
> service. The service MAY either return a subset of the possible
> responses or none at all.

I think for 1.10 it is still somewhat unclear on when the implementation
is supposed to use Success.Incomplete vs Success.TooManyResponses

>
> 1.23 Why insist on a single blob? I don't see any advantage, I see
> plenty of inconvenience.

This is certainly too insignificant to spend any more energy on. Given
that the client constructs it and the server blindly returns it, I was
just curious about the scenario where sequence of opaque values is more
convenient than a single opaque value.

>
> 2.25 No change
>
> Explanatory material is usually bad ju-ju in specifications. The
> reason why locate is required is that there are highly complex PKIs
> such as the FBCA and its international counterparts which are designed
> to have thousands of peer CAs operating. There is simply no way that
> end-entity applications can be expected to navitgate this soup in a
> meaningful or useful way because of the sheer volume of information
> required.
>
> A locate service can simply maintain a database of every CA cert and
> every cross cert and the paths between them the same way that MAPQuest
> maintains a database of highways.
>
> The people deploying these apps often want to apply the end to end
> argument and so they want to do delegated path discovery but implement
> path chain verification localy. The path math stuff is tedious but
> relatively straightforward.

I am still a little puzzled by the example [123-125]. If a client has
access to both Locate and Validate services, what would be the
motivation for "first querying the un-trusted Locate service and then
forward the information received to a Validate service to establish its
trustworthiness" rather than directly using only the Validate service to
do both locate and validate in a single request/response.

> 3.13 No Change
> Can raise to an issue if someone wants to argue the case here.
> Detailed reasons can be reported through the SOAP mechanisms.

See comment for 1.2 above

> 3.37 Pending
> At the moment HMAC-SHA1 is hard coded. Issue do we want to have
> algorthm changability? I don't want to do negotiation in the XKMS
> protocol but we could define a UDDI/WSDL parameter to allow this to be
> configured as desired.
>
Perhaps we should add an attribute for MAC algorithm used to
RevocationCodeIdentifier and RevocationCode and have a list of MAC
algorithms a server MUST support. Obviously mismatch of MAC algorithm
between the original Register and subsequent Revoke request will result
in an error.
--
Slava Galperin
mailto:slava.galperin@sun.com

My contribution was: to stay out of the way.
 (from the movie "The Million Dollar Hotel")
Received on Wednesday, 11 December 2002 16:58:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:39:18 GMT