W3C home > Mailing lists > Public > www-xkms@w3.org > September 2002

RE: Locate/Validate clarification

From: David Cross <dcross@microsoft.com>
Date: Mon, 23 Sep 2002 08:43:34 -0700
Message-ID: <EAF0D3EB7735D643BD4EFB9E6D7DA61C032A0F01@RED-MSG-10.redmond.corp.microsoft.com>
To: <Yassir.Elley@Sun.COM>, <www-xkms@w3.org>

Looks good.  Possible suggestion for the Locate text - the client may
only want the EE cert or key:

"The Locate operation can be used by clients that wish to outsource only
public key, certificate or certificate path discovery."

Regards,

David B. Cross



-----Original Message-----
From: yassir elley [mailto:yassir.elley@Sun.COM] 
Sent: Monday, September 23, 2002 7:43 AM
To: www-xkms@w3.org
Subject: Locate/Validate clarification



Here is some proposed text we can use to clarify the distinction between
a Locate service and a Validate service. This text can be used to
replace the text in Section 3.3.

"	 
 The Locate and Validate operations are similar in that they can both 
 be used by a client to offload certificate processing to a web service.
However, they differ in three fundamental ways: the number of tasks 
 that the operation is expected to perform, the amount of trust
delegated  to the operation, and the number of outputs returned from the
operation.

 The Validate operation can be used by clients that wish to outsource
both certificate path discovery and certificate path validation.  Since
validation is being outsourced, the client must heavily trust 
 the web service that performs the Validate operation. Furthermore,  the
client has no need to acquire any of the relevant data (such  as
certificates or CRLs) since the client is not performing a  local
validation.

 The Locate operation can be used by clients that wish to outsource only
certificate path discovery. In this case, the client must trust the
 web service that performs the Locate operation to the same degree that
it would trust a repository. Since the client wishes to do the 
 certificate validation themselves, the client requires that all 
 the relevant data (such as certificates and CRLs) be returned by the
operation. 
"

Regards,
Yassir.
Received on Monday, 23 September 2002 11:44:10 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:31:39 UTC