Re: thy tiers might cease...

On Wednesday 06 March 2002 18:49, Rich Salz wrote:
> > Learning what the concepts of Retrieve, Locate, and Validate is not
> > difficult. However, they are rather arbitrary tokens (e.g., collision
> > on validate) and what one is actually doing is sending a request and
> > asking for some information. Let the query state what is being asked
> > for: the key value, KeyInfo, KeyInfo and trust information.
>
> I can understand the surface appeal, but I believe the semantics are so
> different, and so well-understood by the security community, that this
> would be a bad idea.

Yikes! I rarely find consistent usage of terms such as validate and verify, 
to speak nothing of "well-understood" and agreed upon. <grin/>

Regardless, please note that my request that the query and respond both be 
prototyped based structures, using NS qualified and XML typed structures -- 
which the query already is, is distinct from whether we replace the 
<Validate> and <Locate> tag with a single <Request> tag. I'm arguing that 
getting rid of it would be natural result of cleaning up the <Respond>.

But since you mention semantics, let's examine that. What are the special 
semantics associated with the token "ds:RetrevalMethod", "Locate", and 
"Validate"?

"ds:RetrevalMethod" -- asks for a binary key structure.
"Locate" -- asks for a XML key structure.
"Validate" -- asks for a XML key structure and KeyBinding statements.

These are all requests for particular bits of data. If the data requested 
is explicitly asked for, I'm not aware of any additional processing or 
behavior required by the client or server because of its wrapped in a 
Validate tag.

The only argument I *can* see is that maybe someone would want to ask three 
different sorts of questions:
1. JoeBlow returns a KeyValue and a ValidityInterval that have nothing to 
do with each other. (Don't know of what use this would be.)
2. JoeBlow returns a KeyValue and a ValidityInterval and is saying these 
are both statements about a single key: they are "bound." (This is always 
the presumption of XKMS I think, so I don't see the need to be singled out.)
3. JoeBlow returns a KeyValue and a ValidityInterval that Sally says are 
bound; Joe is just "quoting" that and forwarding it on. (I don't think XKMS 
accommodates this and I don't believe it needs to.)

So, if I'm going to ask you for a key and some KeyBinding information, what 
essential semantic is served by the addition of the <Validate> syntax that 
affects the client or server behavior, or the import of the message?

-- 

Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/

Received on Wednesday, 6 March 2002 19:32:44 UTC