- From: Daniel Ash <Daniel.Ash@identrus.com>
- Date: Wed, 21 Aug 2002 08:33:12 -0400
- To: "'Stephen Farrell '" <stephen.farrell@baltimore.ie>
- Cc: "''www-xkms@w3.org ' '" <www-xkms@w3.org>, "'reagle@w3.org '" <reagle@w3.org>
- Message-ID: <2B55DABB95C4D4119C1300508BD953F1A1AAF8@BLUE01>
Many Policy Identifiers will likely be the shared across multiple providers. So a policy URI would probably be more suitable. A URI would cover the transaction policy. The key policy might be important in a certificateless scheme, but no such scheme exists yet... so we can let that go for now. I can draft a description of transaction policy, and how it can be used to give meaning to 'validate', if someone else can deal with where to put it and the xml. As for "unbelievable stuff" being embedded, i would be more worried about elements like 'ProcessInfo', and 'UseWith'. these are loosely defined and left open for extensibility (for what?). -dan -----Original Message----- From: Stephen Farrell To: reagle@w3.org Cc: Daniel Ash; 'www-xkms@w3.org ' Sent: 8/21/02 6:15 AM Subject: Re: transaction specific policies From memory, don't we have the service URL in the request and (perhaps munged) in the response already (for security reasons)? So isn't that enough of a policy identifier? If you say "yes", I'm happy. This does mean though that there's no way that a client could indicate (in a standard fashion) things like the transaction amount to the server. I think that's the right approach, but want to be sure we're clear. (The reason I'm going on about this is that I've seen projects where the most unbelieveable stuff was being passed about using OCSP, which for a PKI product vendor, is a PITA;-) Stephen. Joseph Reagle wrote: > > On Tuesday 20 August 2002 02:11 pm, Daniel Ash wrote: > > i would suggest for xkms to say less (nothing) about the format and > > meaning of a policy than x509. maintain the ability to bind policy to a > > key (for PKIs that don't use certificates). and to add the capability to > > bind policy to a transaction (cert or certless PKIs). identifiers only. > > I agree. Presently it is ambigous as to what the meaning of a validation > means, and if there is an identifier associated with the transaction it is > no longer ambigous -- even if the definition itself is out of scope. -- ____________________________________________________________ Stephen Farrell Baltimore Technologies, tel: (direct line) +353 1 881 6716 39 Parkgate Street, fax: +353 1 881 7000 Dublin 8. mailto:stephen.farrell@baltimore.ie Ireland http://www.baltimore.com
Received on Wednesday, 21 August 2002 08:33:32 UTC