W3C home > Mailing lists > Public > www-xkms@w3.org > August 2003

Re: I-D ACTION:draft-deacon-xkms-aia-00.txt

From: Rich Salz <rsalz@datapower.com>
Date: Wed, 27 Aug 2003 12:08:38 -0400
Message-ID: <3F4CD786.9000600@datapower.com>
To: "Deacon, Alex" <alex@verisign.com>
Cc: "'Ryan M. Hurst'" <rmh@windows.microsoft.com>, ietf-pkix@imc.org, www-xkms@w3.org

> Specify XKMS over SOAP.
> Clarify and rename the OID to specify XKMS-Validate only.

Great.

> Make support for X509Certificate a MUST.  As an alternative I also like 
> X509IssuerSerial as a MUST as it makes requests smaller which is nice in 
> some mobile environments.  As for X509Data, I suppose supporting this 
> makes sense if we want to allow a single request to contain more then 1 
> cert.  (I.e. please validate these 12 certs).  My inclination is to keep 
> things simple and not allow this in this profile, especially since XKMS 
> validates the whole chain, not just a single cert.  But to be honest I 
> don't have a strong opinion so let me know what you think.

I don't have a problem with IssuerSerial as a MUST, since it's a fairly 
short step to go from that to OCSP certid. :)  But if others want to see 
it a SHOULD, that's okay.

I would put X509Data as a MAY, for just the same reasons you suggest.

> Borrow the OCSP trust model where responses can be CA signed, CA 
> delegated or trusted via some out of band mechanism (other).

Good.  Perhaps can even cut down on the words you ahve to write and 
mainly incorporate by reference.
	/r$
Received on Wednesday, 27 August 2003 12:08:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:39:20 GMT