- From: Rich Salz <rsalz@datapower.com>
- Date: Wed, 27 Aug 2003 12:08:38 -0400
- To: "Deacon, Alex" <alex@verisign.com>
- Cc: "'Ryan M. Hurst'" <rmh@windows.microsoft.com>, ietf-pkix@imc.org, www-xkms@w3.org
> Specify XKMS over SOAP. > Clarify and rename the OID to specify XKMS-Validate only. Great. > Make support for X509Certificate a MUST. As an alternative I also like > X509IssuerSerial as a MUST as it makes requests smaller which is nice in > some mobile environments. As for X509Data, I suppose supporting this > makes sense if we want to allow a single request to contain more then 1 > cert. (I.e. please validate these 12 certs). My inclination is to keep > things simple and not allow this in this profile, especially since XKMS > validates the whole chain, not just a single cert. But to be honest I > don't have a strong opinion so let me know what you think. I don't have a problem with IssuerSerial as a MUST, since it's a fairly short step to go from that to OCSP certid. :) But if others want to see it a SHOULD, that's okay. I would put X509Data as a MAY, for just the same reasons you suggest. > Borrow the OCSP trust model where responses can be CA signed, CA > delegated or trusted via some out of band mechanism (other). Good. Perhaps can even cut down on the words you ahve to write and mainly incorporate by reference. /r$
Received on Wednesday, 27 August 2003 12:08:42 UTC