- From: Rich Salz <rsalz@zolera.com>
- Date: Thu, 29 Nov 2001 10:54:08 -0500
- To: Daniel Ash <Daniel.Ash@identrus.com>
- CC: "'Mike Just '" <Mike.Just@entrust.com>, "'www-xkms-ws@w3c.org '" <www-xkms-ws@w3c.org>
> If the client initially trusts a root rather than a response signing > key from an XKMS service, won't we need to add some authentication > model for XKMS response signing keys that's analgous to that of OCSP? We probably have to do something; XKMS certs "buried in the browser" is clearly a bad way to move forward. Yet requiring a PKIX bootstrap to validate an XKMS server is equally bad. Barring some flash of insight over the next few months, I expect the best we can do is leave it to our old friend "out of band" /r$ -- Zolera Systems, Your Key to Online Integrity Securing Web services: XML, SOAP, Dig-sig, Encryption http://www.zolera.com
Received on Thursday, 29 November 2001 10:53:40 UTC