Kenneth, > And if my application only knows the value of the key, how will it > know which XKMS service to ask for more information? I'm sorry if I > seem a bit blind on this... No problem. I'd imagine that one of the main modes-of-operation for xkms would be where a client has a configured responder that it trusts for pretty much everything. In that case, if the client receives a ds:Signature just containing a ds:KeyValue, then it can do a validate on the ds:KeyInfo and request the responder to return a binding. Its only when the binding comes back that the client gets to see what it can treat as an authenticated identity for the signer. Nice side effect: if the xkms responder is not just a dumb x.509 front-end, then the signer and verifier don't have to use the same name for the signer! One less thing to break interop. Stephen.Received on Thursday, 19 May 2005 11:42:30 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:39:24 GMT