Question about Locate Service

I'm a little confused as to a typical use case for the Locate service.

The spec says that

"Tier 1: Processing of the <ds:KeyInfo> element by the application is 
delegated to a service. The service returns a <ds:KeyInfo> element that
describes a public key meeting the criteria specified by the client
application. Validation of the <ds:KeyInfo> is performed by the client."

In the Document Signature and Data Encryption examples, the client requests
a KeyName and KeyValue for Alice to be returned. The Locate service returns
a <ds:KeyInfo> with a KeyName and KeyValue. From my understanding, 
at this point, the client has no idea whether the KeyValue returned 
by the Locate service is or ever was the public key for Alice, since we do
"NOT REQUIRE the service to make an assertion containing the validity
of the binding between the data in the <ds:KeyInfo> element." The client
is supposed to validate the KeyInfo that is returned. How is the client
going to do this with just these values? The client will probably have
to build and validate a chain of certificates himself to find out what
Alice's public key is. What is the usefulness of the Locate service here?

I could understand if the client asked the Locate service to return an
X509 certificate or chain of certificates, and then the client did the
validation himself. Is that the intended usage of the Locate service?

Thanks,
Yassir.

Received on Thursday, 17 January 2002 16:28:44 UTC