W3C home > Mailing lists > Public > www-xkms@w3.org > August 2003

Re: I-D ACTION:draft-deacon-xkms-aia-00.txt

From: Rich Salz <rsalz@datapower.com>
Date: Wed, 27 Aug 2003 12:08:38 -0400
Message-ID: <3F4CD786.9000600@datapower.com>
To: "Deacon, Alex" <alex@verisign.com>
Cc: "'Ryan M. Hurst'" <rmh@windows.microsoft.com>, ietf-pkix@imc.org, www-xkms@w3.org

> Specify XKMS over SOAP.
> Clarify and rename the OID to specify XKMS-Validate only.


> Make support for X509Certificate a MUST.  As an alternative I also like 
> X509IssuerSerial as a MUST as it makes requests smaller which is nice in 
> some mobile environments.  As for X509Data, I suppose supporting this 
> makes sense if we want to allow a single request to contain more then 1 
> cert.  (I.e. please validate these 12 certs).  My inclination is to keep 
> things simple and not allow this in this profile, especially since XKMS 
> validates the whole chain, not just a single cert.  But to be honest I 
> don't have a strong opinion so let me know what you think.

I don't have a problem with IssuerSerial as a MUST, since it's a fairly 
short step to go from that to OCSP certid. :)  But if others want to see 
it a SHOULD, that's okay.

I would put X509Data as a MAY, for just the same reasons you suggest.

> Borrow the OCSP trust model where responses can be CA signed, CA 
> delegated or trusted via some out of band mechanism (other).

Good.  Perhaps can even cut down on the words you ahve to write and 
mainly incorporate by reference.
Received on Wednesday, 27 August 2003 12:08:42 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:31:41 UTC