Re: transaction specific policies

> Daniel Ash wrote:
> 
> Many Policy Identifiers will likely be the shared across multiple providers.  So a policy URI
> would probably be more suitable.

Hmm. Personally, I'm not convinced, since I think URIs are cheap, except when they
have to be configured into clients - I prefer munging as many xkms settings as possible
into the responder URI, since that way the client has less (and possibly minimal) 
configuration.

However, I realise that others might not agree.

> I can draft a description of transaction policy, and how it can be used to give meaning to
> 'validate', if someone else can deal with where to put it and the xml.

Ok. Why not do that and then we can see if there's concensus on including it
in the spec. (Thanks for volunteering.)

> As for "unbelievable stuff" being embedded, i would be more worried about elements like
> 'ProcessInfo', and 'UseWith'.  these are loosely defined and left open for extensibility (for
> what?).

One of the problems with extensibility I guess - people make unexpected uses
of it.

Cheers,
Stephen.

> 
> -dan
> 
> -----Original Message-----
> From: Stephen Farrell
> To: reagle@w3.org
> Cc: Daniel Ash; 'www-xkms@w3.org '
> Sent: 8/21/02 6:15 AM
> Subject: Re: transaction specific policies
> 
> From memory, don't we have the service URL in the request and
> (perhaps munged) in the response already (for security reasons)?
> 
> So isn't that enough of a policy identifier?
> If you say "yes", I'm happy.
> 
> This does mean though that there's no way that a client could
> indicate (in a standard fashion) things like the transaction
> amount to the server. I think that's the right approach, but
> want to be sure we're clear. (The reason I'm going on about
> this is that I've seen projects where the most unbelieveable
> stuff was being passed about using OCSP, which for a PKI product
> vendor, is a PITA;-)
> 
> Stephen.
> 
> Joseph Reagle wrote:
> >
> > On Tuesday 20 August 2002 02:11 pm, Daniel Ash wrote:
> > > i would suggest for xkms to say less (nothing) about the format and
> > > meaning of a policy than x509.  maintain the ability to bind policy
> to a
> > > key (for PKIs that don't use certificates).  and to add the
> capability to
> > > bind policy to a transaction (cert or certless PKIs).  identifiers
> only.
> >
> > I agree. Presently it is ambigous as to what the meaning of a
> validation
> > means, and if there is an identifier associated with the transaction
> it is
> > no longer ambigous -- even if the definition itself is out of scope.
> 
> --
> ____________________________________________________________
> Stephen Farrell
> Baltimore Technologies,   tel: (direct line) +353 1 881 6716
> 39 Parkgate Street,                     fax: +353 1 881 7000
> Dublin 8.                mailto:stephen.farrell@baltimore.ie
> Ireland                             http://www.baltimore.com

-- 
____________________________________________________________
Stephen Farrell         				   
Baltimore Technologies,   tel: (direct line) +353 1 881 6716
39 Parkgate Street,                     fax: +353 1 881 7000
Dublin 8.                mailto:stephen.farrell@baltimore.ie
Ireland                             http://www.baltimore.com

Received on Wednesday, 21 August 2002 10:11:35 UTC