I understand, and it is kinda neat (I assume that's a typo in your example, and it should be <ds:Signature/>). HOWEVER, in a conventional PKI, Locate is usually served by a directory such as LDAP; LDAP directories do not sign their response. Validate, on the other hand, is done by things like OCSP (which do) or the Identrus RM. :) Locate doesn't need a signature, because you can ask for the cert which is itself signed. Validation is making more abstract statements about the cert/key, and a relying party will probably require the entity responding to sign things. Does that help? /r$ -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.comReceived on Thursday, 7 March 2002 19:21:41 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 20 September 2007 14:30:50 GMT