- From: Rich Salz <rsalz@zolera.com>
- Date: Thu, 07 Mar 2002 19:21:18 -0500
- To: reagle@w3.org
- CC: stephen.farrell@baltimore.ie, www-xkms@w3.org
I understand, and it is kinda neat (I assume that's a typo in your example, and it should be <ds:Signature/>). HOWEVER, in a conventional PKI, Locate is usually served by a directory such as LDAP; LDAP directories do not sign their response. Validate, on the other hand, is done by things like OCSP (which do) or the Identrus RM. :) Locate doesn't need a signature, because you can ask for the cert which is itself signed. Validation is making more abstract statements about the cert/key, and a relying party will probably require the entity responding to sign things. Does that help? /r$ -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.com
Received on Thursday, 7 March 2002 19:21:41 UTC