Re: Question about Locate Service from Jiandong Guo on 2002-01-18 (www-xkms@w3.org from January 2002)

From: Jiandong Guo <jguo@phaos.com>
Date: Fri, 18 Jan 2002 10:51:10 -0500
To: Yassir Elley - Sun Microsystems <Yassir.Elley@sun.com>, www-xkms@w3.org
Message-ID: <3C48446D.E0EDB2C7@phaos.com>

One scenario I can imagine the Locate service is useful in this case is that
the client
already have the certificate or chain but lack the ability to process it e.g to
extract
the public key from the certificate. Then the client can use the Locate service
to aske the server
to get the key value for him.

Remeber the key objective of XKMS is to minimize the complexity of PKI on the
client side. So as a client you  should be able to do PKI with XKMS even if you
can not deal things like X509 .

Jiandong Guo
Phaos Technology



Yassir Elley - Sun Microsystems wrote:

> I'm a little confused as to a typical use case for the Locate service.
>
> The spec says that
>
> "Tier 1: Processing of the <ds:KeyInfo> element by the application is
> delegated to a service. The service returns a <ds:KeyInfo> element that
> describes a public key meeting the criteria specified by the client
> application. Validation of the <ds:KeyInfo> is performed by the client."
>
> In the Document Signature and Data Encryption examples, the client requests
> a KeyName and KeyValue for Alice to be returned. The Locate service returns
> a <ds:KeyInfo> with a KeyName and KeyValue. From my understanding,
> at this point, the client has no idea whether the KeyValue returned
> by the Locate service is or ever was the public key for Alice, since we do
> "NOT REQUIRE the service to make an assertion containing the validity
> of the binding between the data in the <ds:KeyInfo> element." The client
> is supposed to validate the KeyInfo that is returned. How is the client
> going to do this with just these values? The client will probably have
> to build and validate a chain of certificates himself to find out what
> Alice's public key is. What is the usefulness of the Locate service here?
>
> I could understand if the client asked the Locate service to return an
> X509 certificate or chain of certificates, and then the client did the
> validation himself. Is that the intended usage of the Locate service?
>
> Thanks,
> Yassir.

Received on Friday, 18 January 2002 10:47:08 UTC