- From: Stephen Farrell <stephen.farrell@baltimore.ie>
- Date: Wed, 04 Dec 2002 14:57:22 +0000
- To: Blair Dillaway <blaird@exchange.microsoft.com>
- CC: "Hallam-Baker, Phillip" <pbaker@verisign.com>, Daniel Ash <dash@68summit.com>, Just.Mike@tbs-sct.gc.ca, reagle@w3.org, www-xkms@w3.org
Blair Dillaway wrot > > Also in basic agreement with Phill position on what a client is supposed > to do with them. The typical client won't have any idea what these > mean, at least not any more than clients actually make use of X509 CA > CPSes in making decisions today. So, in the typical case I expect these > policy qualifiers are just advisory info the XKMS service felt obligated > to insert in its responses. The client wouldn't include them in a > subsequent validate request. I think we're all in agreement with the goal, but I still haven't seen how a dumb client knows which UseKeyWith values ought be in a validate subsequent to a locate (esp. when different responders were used). Maybe Phill you could post the paragraph you're thinking of including in the spec and that'll be the quickest way to sort it? Stephen. > > The only time the policy qualifiers are useful is if a client > application is specifically written with knowledge of some > key-certification policy. For example, some banking app might be > designed to only use keys meeting the 'P$$' policy. In this case, it > would look for keys which have a UseKeyWith P$$ qualifier and would > likley include this in a validate request. In this case the P$$ policy > is an application specific usage indicator just like a UseKeyWith S/MIME > might be for an email program. > > Back to Steve's question, I believe the spec should indicate clients > aren't required to use policy qualifiers they don't understand. They > may use those they do understand. > > Blair > > -----Original Message----- > From: Hallam-Baker, Phillip [mailto:pbaker@verisign.com] > Sent: Tuesday, December 03, 2002 8:33 AM > To: stephen.farrell@baltimore.ie; Hallam-Baker, Phillip > Cc: Daniel Ash; Just.Mike@tbs-sct.gc.ca; reagle@w3.org; www-xkms@w3.org > > > Ok, we've eliminated issue#2 (degrees of freedom), but what's the > > answer to issue#1 after we do this? I.e. > > > > Alice: Locate keys for Fred > > Responder: Here's Fred's key1 for UseKeyWith p1,p2,p3 and > > his other key2 for p4,p5 > > (Alice wants to encrypt to fred) > > Alice: Validate Fred's key1 for <<UseKeyWith stuff>> > > > > What does the naive client, who has no idea of what p1-5 represent, > > put in between the <<>> ? > > The naive client has to operate off applications, not policies. So look > for the key that is labeled for use with S/MIME or whatever you want to > use. > > The configuration you propose is not one I believe is suited to the > completely naive client where surely chaining with the Validate service > doing the locate would be the configuration of choice. > > What is the point of having the client do a Locate if it does not have > any comprehension whatsoever of the data returned? > > Phill -- ____________________________________________________________ Stephen Farrell Baltimore Technologies, tel: (direct line) +353 1 881 6716 39 Parkgate Street, fax: +353 1 881 7000 Dublin 8. mailto:stephen.farrell@baltimore.ie Ireland http://www.baltimore.com
Received on Wednesday, 4 December 2002 09:58:48 UTC