Re: transaction specific policies

From memory, don't we have the service URL in the request and
(perhaps munged) in the response already (for security reasons)?

So isn't that enough of a policy identifier?
If you say "yes", I'm happy. 

This does mean though that there's no way that a client could
indicate (in a standard fashion) things like the transaction
amount to the server. I think that's the right approach, but
want to be sure we're clear. (The reason I'm going on about
this is that I've seen projects where the most unbelieveable
stuff was being passed about using OCSP, which for a PKI product
vendor, is a PITA;-)

Stephen.

Joseph Reagle wrote:
> 
> On Tuesday 20 August 2002 02:11 pm, Daniel Ash wrote:
> > i would suggest for xkms to say less (nothing) about the format and
> > meaning of a policy than x509.  maintain the ability to bind policy to a
> > key (for PKIs that don't use certificates).  and to add the capability to
> > bind policy to a transaction (cert or certless PKIs).  identifiers only.
> 
> I agree. Presently it is ambigous as to what the meaning of a validation
> means, and if there is an identifier associated with the transaction it is
> no longer ambigous -- even if the definition itself is out of scope.

-- 
____________________________________________________________
Stephen Farrell         				   
Baltimore Technologies,   tel: (direct line) +353 1 881 6716
39 Parkgate Street,                     fax: +353 1 881 7000
Dublin 8.                mailto:stephen.farrell@baltimore.ie
Ireland                             http://www.baltimore.com

Received on Wednesday, 21 August 2002 06:16:07 UTC