Re: FW: changelog #A1 from Slava Galperin on 2002-12-18 (www-xkms@w3.org from December 2002)

From: Slava Galperin <slava.galperin@sun.com>
Date: Tue, 17 Dec 2002 22:18:33 -0800
To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
CC: "Www-Xkms (E-mail)" <www-xkms@w3.org>
Message-ID: <3E001339.7EF9FED6@sun.com>
IMHO, "intended use of the key" wording is still not precise enough. I
would like to have a generic specification of what is considered a
successful match between the QueryKeyBinding in the request and "target"
key binding.

For Validate the most appropriate interpretation seems to be "superset"
("find(check if) a key binding which is good for all the intended
purposes simultaneously"):

       (isAbsent(request.KeyInfo) or  target.KeyInfo = request.KeyInfo)
and
       target.UseKeyWith "is-a-superset-of" request.UseKeyWith and
       target.KeyUsage "is-a-superset-of" request.KeyUsage

I am unclear if there is sufficient usage model difference between
Locate and Validate so that it makes sense to relax matching criteria
for Locate to "any" ("find  all key bindings good for any one of the
specified purposes but not necessarily for all of them at the same
time") :
        (isAbsent(request.KeyInfo) or  target.KeyInfo = request.KeyInfo)
and
        (isEmpty(request.UseKeyWith) or
nonEmptyIntersection(target.UseKeyWith,request.UseKeyWith)) and
        (isEmpty(request.KeyUsage) or
nonEmptyIntersection(target.KeyUsage,request.KeyUsage))

We may also want to specify that we do not allow both KeyInfo and
UseKeyWith to be absent in QueryKeyBinding.

Also what is the rationale for "Applications SHOULD NOT
forward <UseKeyWith> elements returned in a Locate result in a
subsequent Validate query." ?
More generally, what is the rationale behind the "referral model in
which raw key binding information is obtained from a Locate service then
forwarded to a validate service" ? Why would a client go through a
two-step process instead of requesting "validated" keys directly from
Validate service through a single Validate request ?

"Hallam-Baker, Phillip" wrote:

> Element <UseKeyWith>
>
> The <UseKeyWith> element specifies a subject identifier and
> application identifier that determine a use of the key.
> In the case of a <KeyBinding> or <UnverifiedKeyBinding>
> the <UseKeyWith> element specifies a use of the key. If
> multiple <UseKeyWith> elements are present each element specifies a
> use of the key.
>
> In the case of a <QueryKeyBinding> or <TemplateKeyBinding>
> the <UseKeyWith> element specifies an intended use of the key. If
> multiple <UseKeyWith> elements are present each element specifies an
> intended use of the key.
>
>      Application     [Required]
>      A URI that specifies the application protocol with which the
>      key may be used
>      Identifier     [Required]
>
> Specifies the subject to which the key corresponds within the
> specified application protocol.
> <UseKeyWith> application identifiers MAY be used to represent key
> binding issuance and/or use policies instead of an application
> protocol. In this case the <UseKeyWith> element specifies that the key
> binding complies with the specified policy.
>
> In the case that a client follows a referral model in which raw key
> binding information is obtained from a Locate service then forwarded
> to a validate service the <UseKeyWith> elements in the query should in
> both cases specify the uses for which the application intends to use
> the key. Applications SHOULD NOT forward <UseKeyWith> elements
> returned in a Locate result in a subsequent Validate query.

--
Slava Galperin
mailto:slava.galperin@sun.com

For in much wisdom is much grief: and he that increaseth knowledge
increaseth sorrow.


(Ecclesiastes 1:18)
Received on Wednesday, 18 December 2002 01:19:05 UTC