Re: Issue 116 from Slava Galperin on 2002-12-18 (www-xkms@w3.org from December 2002)

From: Slava Galperin <slava.galperin@sun.com>
Date: Tue, 17 Dec 2002 21:16:18 -0800
To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
CC: "Www-Xkms (E-mail)" <www-xkms@w3.org>
Message-ID: <3E0004A1.ADD31C3C@sun.com>

So just to confirm the proposed resolution:

- The scope of KeyBinding ID is just the request message or just the
response message.
- It is not persistent
- KeyBinding ID is not used in matching rules to select target key
binding for XKISS and XKRSS

KeyBinding element in Reissue, Revoke and Recover requests is used as a
pattern to "identify" target key bindings by matching on the combination
on KeyInfo/KeyUsage/UseKeyWith values.

This still needs a few clarifications :

Should matching rule for Reissue/Revoke/Recover be the
    "exact" match
    or "superset" match :
        target.KeyInfo = request.KeyInfo and
        target.UseKeyWith "is-a-superset-of" request.UseKeyWith and
        target.KeyUsage "is-a-superset-of" request.KeyUsage
    or "any" match
        target.KeyInfo = request.KeyInfo and
        (isEmpty(request.UseKeyWith) or
nonEmptyIntersection(target.UseKeyWith,request.UseKeyWith)) and
        (isEmpty(request.KeyUsage) or
nonEmptyIntersection(target.KeyUsage,request.KeyUsage))

(Note, if Register created and returned several different key bindings
(e.g. for different PKI back-ends), some of them can be inseparable for
Revoke/Reissue based on matching rules above. This is not necessarily an
issue, though)

Should we make KeyInfo "required" for KeyBinding inside
Reissue/Revoke/Recover request or should we allow either UseKeyWith or
KeyInfo be empty/absent but not both ?

"Hallam-Baker, Phillip" wrote:

>
> 116 connective stuff to describe the key binding ID
> I am tending towards the idea that the key binding id is essentially
> random.
> The reason for this is that we do not have the type of assertion
> envelope that would support use modes where the binding id is
> persistent. Also this would tend to establish the key binding as a
> credential type in its own right rather than as an interface
> structure.
> For example someone uses CMP to register a key then XKMS to revoke it,
> what does the keybinding id mean in the query??
> Also we can have many key binding elements for one single underlying
> virtual keybinding...
>         Phill
>
--
Slava Galperin
mailto:slava.galperin@sun.com

For in much wisdom is much grief: and he that increaseth knowledge
increaseth sorrow.

(Ecclesiastes 1:18)

Received on Wednesday, 18 December 2002 00:16:20 UTC