> Specify XKMS over SOAP. > Clarify and rename the OID to specify XKMS-Validate only. Great. > Make support for X509Certificate a MUST. As an alternative I also like > X509IssuerSerial as a MUST as it makes requests smaller which is nice in > some mobile environments. As for X509Data, I suppose supporting this > makes sense if we want to allow a single request to contain more then 1 > cert. (I.e. please validate these 12 certs). My inclination is to keep > things simple and not allow this in this profile, especially since XKMS > validates the whole chain, not just a single cert. But to be honest I > don't have a strong opinion so let me know what you think. I don't have a problem with IssuerSerial as a MUST, since it's a fairly short step to go from that to OCSP certid. :) But if others want to see it a SHOULD, that's okay. I would put X509Data as a MAY, for just the same reasons you suggest. > Borrow the OCSP trust model where responses can be CA signed, CA > delegated or trusted via some out of band mechanism (other). Good. Perhaps can even cut down on the words you ahve to write and mainly incorporate by reference. /r$Received on Wednesday, 27 August 2003 12:08:42 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 20 September 2007 14:30:58 GMT