Re: FW: changelog #A1 from Joseph Reagle on 2002-12-18 (www-xkms@w3.org from December 2002)

From: Joseph Reagle <reagle@w3.org>
Date: Wed, 18 Dec 2002 12:31:32 -0500
To: "Hallam-Baker, Phillip" <pbaker@verisign.com>, Slava Galperin <slava.galperin@sun.com>
Cc: "Www-Xkms (E-mail)" <www-xkms@w3.org>
Message-Id: <200212181231.32122.reagle@w3.org>

On Wednesday 18 December 2002 12:11, Hallam-Baker, Phillip wrote:
> I don't think the problem is with the explanation of the difference
> between Locate and Validate. I think the real problem is that people
> refuse to believe that there can be two operations that are identical
> except in the degree of trust that is asserted. Lets get clear on the
> processing model before we go onto the text...

ARGH -- as this unravels the uneasy understanding I had managed to 
accomodate. If this was the case then all there is, is a query with a 
different trust policy or KeyYsage.

> Locate returns exactly the same information as Validate with the sole
> exception that it explicitly does not undertake to meet even the minimal
> requirements of a trusted service.

What does this mean, "minimal requirements of a trusted service?" How 
trusted a service is, is determined by the client's assessment of the 
service's trust policy.

> In the case of validate the client MAY rely on the information returned
> directly. In the case of locate the client MUST accept responsibility
> for validation.

What? If you are going to use MUST and MAY in this way, it must to have them 
apply to the same term and think of an actual test/case example.

> A locate only service might be run on an untrusted machine in a location
> with no physical security because the service can rely on the client
> performing the validation step. 

And a validate service might be run on a 10% untrusted machine in a locked 
closet. It's meaningless to talk of "trust" in this way. Trust is a 
expectation/reflection of risk. This might vary across locating information 
(I might trust one LDAP server which is updated more often  than another 
that has long gone stale) and validation (I might trust a better maintained 
machine with timely CRL updates to do path validation more than one that 
doesn't). Trust is determined by context and the policy the service says 
its operating under -- so as to indemnify the risk. I *thought* we had 
finally agreed that locate and validate had nothing to do with this. 
Instead, they pertained to the sort of processing I'm expecting in response 
to each request. Locate is a simple query; Validate is a query with 
additional processing. The degree to which I believe the information is 
correct can apply to both, and is orthongal to both.

Received on Wednesday, 18 December 2002 12:31:36 UTC