DSS TC XKMS Last Call Comments from Blair Dillaway on 2003-08-02 (www-xkms@w3.org from August 2003)

From: Blair Dillaway <blaird@exchange.microsoft.com>
Date: Fri, 1 Aug 2003 17:16:24 -0700
To: "Robert Zuccherato" <robert.zuccherato@entrust.com>
Cc: <www-xkms@w3.org>, <cruellas@ac.upc.es>
Message-ID: <0A0B36F65A314D4AB8D2CF1D1FD835F103246864@df-muttley.dogfood>

DSS TC:

The DSS TC raised the issue of how one should indicate to an XKMS client
that key information returned by an XKMS service was associated with a
DSS service.  This would indicate that the keys are in possession of the
DSS service and associated with the DSS client through a signed
attribute.  It was suggested that a new <KeyUsage> element value or a
<UseKeyWith> URI might be appropriate.

We do not believe a new <KeyUsage> element value is the correct
mechanism for addressing this issue.  KeyUsage is intended to identify
the cryptographic operation that a key may be used for.  It is not
intended to indicate other factors such as how a key is stored or who
has control over the key's use.  Within the DSS context, the appropriate
KeyUsage would be "Signature".

We recommend definition of a new <UseKeyWith> URI as the appropriate
mechanism for meeting your requirements.  The XKMS specification (23
July 2003 Editor's Draft), defines UseKeyWith as:
"[184] The primary use intended for <UseKeyWith> identifiers is to
identify application protocols. <UseKeyWith> URI identifiers MAY be
specified that represent key binding issuance and/or use policies
instead of or in addition to an application protocol. In this case the
<UseKeyWith> element specifies that the key binding complies with the
specified policy."
As we understand the objectives of the DSS TC, you are defining a use
policy for a signing key.  That use policy is along the lines of:
signature generation is performed by an authorized DSS server and is
bound to a given client via a signed attribute.  Once the DSS TC has
formalized this policy statement, a URI may be associated with it.  The
DSS TC should define this URI and incorporate it into the DSS
specification.  The DSS effort is not at the appropriate standards
status level for a normative reference from within the XKMS
specification. 

The XKMS WG would like to thank you for reviewing and commenting on the
draft XKMS specification.  We believe this addresses your comments to
the best of our ability and assume the issue is closed unless we hear
otherwise.

Regards,
Blair Dillaway on behalf of the XKMS WG

Received on Friday, 1 August 2003 20:16:29 UTC