Re: XKMS from Stephen Farrell on 2001-11-27 (www-xkms-ws@w3.org from November 2001)

From: Stephen Farrell <stephen.farrell@baltimore.ie>
Date: Tue, 27 Nov 2001 10:18:28 +0000
To: Rich Salz <rsalz@zolera.com>
CC: Blair Dillaway <blaird@microsoft.com>, "Hallam-Baker, Phillip" <pbaker@verisign.com>, Mike Just <Mike.Just@entrust.com>, www-xkms-ws@w3c.org
Message-ID: <3C036874.319B95B7@baltimore.ie>

All,

I'd tend to agree that the URL level "trust" model is the thing to go 
with for xkms.

Two further questions:-

1. Is there a specific issue with preventing replay of a reponse from a 
different service URL (but the same responder key etc.), or, is there a 
general issue with correlating requests and responses? That is, is the 
fix likely to be alongs the lines of "include the service URL in a signed 
response" or "include a random value in the request and that same value 
in the corresponding response"

2. Could anyone who disagrees with using service URLs as "trust selectors" 
or who thinks we *need* to specify a finer-granularity of something (whether 
in request or response) please speak up in the next couple of days? 

Stephen.

Rich Salz wrote:
> 
> > You wouldn't actually need to have a different WSDL description per URL.
> 
> No, you don't HAVE to have them; I was putting too much on the "private"
> notation made in the current spec about the service URL.
> 
> I'd expect someone who was providing an outsourced service would want to
> keep each binding in a separate file, but that's just a guess.
> 
> > Either suggested approach for handling multiple trust models would work.
> > I think the real issue is whether the folks planning to build such
> > services believe one of them makes their life simpler.  I tend to favor
> > the URL model, but admit this view is based on fairly limited thinking
> > about how I might want to deploy such a system.
> 
> Same here.
> 
> > I can't imagine clients trying to deal
> > dynamically with what trust models are supported by a given service.
> > Going to web page to get info on supported trust models (like current
> > CPS docs for CAs) seems adequate to me.
> 
> Agreed.
>         /r$
> --
> Zolera Systems, Your Key to Online Integrity
> Securing Web services: XML, SOAP, Dig-sig, Encryption
> http://www.zolera.com

-- 
____________________________________________________________
Stephen Farrell         				   
Baltimore Technologies,   tel: (direct line) +353 1 881 6716
39 Parkgate Street,                     fax: +353 1 881 7000
Dublin 8.                mailto:stephen.farrell@baltimore.ie
Ireland                             http://www.baltimore.com

Received on Tuesday, 27 November 2001 05:18:17 UTC