"Hallam-Baker, Phillip" wrote: > > It is also the model that meets the original goal of shielding > the client from the horrors of PKI. The model I have been > promoting is the Client asks the validate service for a key > and the validate service then grovels through whatever databases, > DNS, directories, Locate services etc it needs to get the > answer. > > If you have a client that is already PKI litterate then the > locate service makes a lot of sense since chain building > is hard while chain validation is relatively straightforward. > That way you still get your traditional end to end security. > > The mixed model of do a locate first then throw the data at > a validate service makes much less sense to me. I know people > think it is a winner but I don't see that myself. Why have the > client be a blind relay when the service can do the job for it? I completely agree with the above (I apologize if it was not clear in my original question). I did not question the need for a separate Locate service to support the use case for Locate + local validation. I was questioning the "Locate followed by Validate" scenario where a single Validate request could be used instead. -- Slava Galperin mailto:slava.galperin@sun.com For in much wisdom is much grief: and he that increaseth knowledge increaseth sorrow. (Ecclesiastes 1:18)Received on Wednesday, 18 December 2002 19:02:24 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 20 September 2007 14:30:56 GMT