- From: Hallam-Baker, Phillip <pbaker@verisign.com>
- Date: Tue, 27 Aug 2002 14:29:33 -0700
- To: "Dournaee, Blake" <bdournaee@rsasecurity.com>, www-xkms@w3.org
> Why then, does Bob use "KeyValue" as a <RespondWith> value? > The example > assumes he already has the capability to parse the X.509 > certificate to > extract the public key. If he has the key already, why does > he need the > service to give it back to him? He has already performed cryptographic > signature verification. Hmm, well spotted there..... A possible reason could be that Bob is excessively paranoid and wants to tie the response back to the actual signing key on the document, removing the certificate from the equation... > > Also, it should be made clear in this example the nature of > the certificate > chain. Is the chain terminated with a self-signed CA > certificate or does the > minimal chain in the example end with an Intermediate CA > certificate? If so, > how does the service know which certificate to check if > neither cert is > self-signed? And if the chain is terminated with a > self-signed certificate, > why can't the client trust this chain implicitly (as long as > it trusts the > top of the root) and not bother with the service request at all? Actually it is a self signed root, however the point is that only the service needs to worry about that issue which would be a PKIX one in any case. Phill
Received on Tuesday, 27 August 2002 17:28:08 UTC