- From: Frederick Hirsch <hirsch@zolera.com>
- Date: Wed, 28 Nov 2001 15:09:08 -0500
- To: "www-xkms-ws" <www-xkms-ws@w3.org>
Received on Wednesday, 28 November 2001 15:07:29 UTC
I'm not sure I understand the need for AuthServerInfoType in addition to AuthUserInfoType. I think the intent is that AuthServerInfoType is used for the client to authenticate in a request in the case where the server generated the key pair. Couldn't the client still include a ProofOfPossession in the request to authenticate once the private key was delivered to the client? If so, then the AuthUserInfoType could be used for all client authentication to the server. Alternately, not all elements in AuthUserInfoType are required to be used. This would require trusting the server not to distribute the private key incorrectly - is a concern for non-repudiation the reason for the two type definitions? thanks --- Frederick Hirsch Zolera Systems, http://www.zolera.com/ Information Integrity, XML Security
Received on Wednesday, 28 November 2001 15:07:29 UTC