- From: Hallam-Baker, Phillip <pbaker@verisign.com>
- Date: Tue, 17 Dec 2002 09:28:17 -0800
- To: "Www-Xkms (E-mail)" <www-xkms@w3.org>
- Message-ID: <CE541259607DE94CA2A23816FB49F4A310FEFC@vhqpostal6.verisign.com>
Issue 25: Element <ResponseMechanism> The <ResponseMechanism> element in the request specifies one or more strings included in the request that specify extended protocol mechanisms that the client supports in connection with a request. ResponseMechanism values are specified as QNames, the following identifiers are defined: Identifier Description xkms:Pending The requestor is prepared to accept a response that uses asynchronous processing, i.e. the service MAY return the MajorResult code xkms:Pending xkms:Represent The requestor is prepared to accept a response that uses the two phase protocol, i.e. the service MAY return the MajorResult code xkms:Represent xkms:RequestSignatureValue The requestor is prepared to accept a response that carries a <RequestSignatureValue> element. The following schema defines the <ResponseMechanism> element:: Element <ResultAbstractType> The ResultAbstractType abstract type is the type from which all XKMS response element types are derived. The ResultAbstractType abstract type inherits the element and attributes of the MessageAbstractType abstract type and in addition contains the following attributes <RequestSignatureValue> [Optional] The value of the ds:SignatureValue element of the corresponding request. Element <RequestSignatureValue> The <RequestSignatureValue> element provides a cryptographic linkage between the request and the response. A service SHOULD include the <RequestSignatureValue> element element in a response if the following conditions are satisfied and MUST NOT include the value otherwise: * The <ds:Signature> element was present in the corresponding request * The service successfully verified the <ds:Signature> element in the corresponding request, and * The ResponseMechanism xkms:RequestSignatureValue was specified. If the <RequestSignatureValue> element is present in a response the requestor MUST reject the message if either: * The corresponding request was not authenticated, or: * The value ds:Signature/ds:SignatureValue in the request does not match the value RequestSignatureValue in the response. The <RequestSignatureValue> element is of ds:SignatureValueType type specified in the XML Signature specification <outbind://2/#XML-SIG> [XML-SIG]. Then in the protocols section: Authenticated Request If the request and the response are authenticated the correspondence of the request and response may be determined by verifying the value of RequestID in the response. Digest Authenticated Request If the original request was authenticated by means of a message digest, the service can still ensure a strong binding of the response to the original request by means of the <RequestSignatureValue> element.
Received on Tuesday, 17 December 2002 12:28:19 UTC