RE: URL-level trust (was: Re: XKMS) from Jeremy Epstein on 2001-12-03 (www-xkms-ws@w3.org from December 2001)

From: Jeremy Epstein <jepstein@webmethods.com>
Date: Mon, 3 Dec 2001 08:07:19 -0500
To: "Mike Just" <Mike.Just@entrust.com>, <www-xkms-ws@w3c.org>
Message-ID: <NDBBICMMIMLFAPJFOHEBCEAKENAA.jepstein@webMethods.com>

Mike Just wrote:
>You raise another interesting point regarding validation
>based on the origin of the request and suggest that this
>could be done based on the signature of the requestor.
>I suspect you cite the use of a signed request as an
>example since it is certainly not necessary. As a matter
>of fact, I might prefer to see an element that allows the
>requestor to specify some "name" or "identifier" as part
>of the request. So long as this field is returned as part
>of the authenticated response, the requestor can ensure
>that the correct identifier was used. Thus, authentication
>of the request is not required. (As a matter of fact, even
>if the request were signed, you'd still need to include the
>name of the signer in the authenticated response.  If you
>didn't an attacker could just resubmit an altered request
>and sign on their own.)

You're right, I was just giving an example.  If the request is signed, then
this might work.  If the request isn't signed, then an identifier would be
required to identify the policy to use, rather than being able to discern it
from the signature.

Thanks for pointing out that my example was incomplete.

>Such an identifier could arguably just be included in the
>URL, e.g.
>http://xkms.xmltrustcenter.org/us_gov_bridge_ca_confidential?name=Mike_Just
>but it seems more reasonable to add a separate element (in
>case the name exceeds the length of URL accepted by some
>servers).  Although I use a personal name in this example,
>this name might be the name of an application (as Jeremy
>highlights above or the name of a role).

I'm not particularly concerned about how the identifier shows up, although
I'd like to avoid using personal names, because that implies that different
people have different policies.  Yes, that could be true... but it's not the
desired case.  (I can see where the legal dept might have stronger
requirements for certificates than support... after all, legal might be
using signatures for contracts and rely on XKMS to validate the certificate
used for signing, while support is just trying to more-or-less track who's
getting help, and it's not that important if an unauthorized user gets a bit
of support.

--Jeremy

Received on Monday, 3 December 2001 08:04:10 UTC