- From: Joseph Reagle <reagle@w3.org>
- Date: Wed, 18 Dec 2002 15:02:31 -0500
- To: "Hallam-Baker, Phillip" <pbaker@verisign.com>, Slava Galperin <slava.galperin@sun.com>
- Cc: "Www-Xkms (E-mail)" <www-xkms@w3.org>
On Wednesday 18 December 2002 13:18, Hallam-Baker, Phillip wrote: > I.E. we can assume a total compromise of the Locate service, > Mallet has full control over it and there is no compromise of > the system other than a loss of service. There is a compromise in that I might ask John's email address, and I will be given the wrong information (e.g., address). > Failure of as validate service MAY result in a failure of the > system as a whole because the client MAY rely on it. There is a compromise in that I might ask John's email address as bound to a public key, and I will be given the wrong information (e.g., key). (I presume the "MAY"s are not meant in the RFC sense, what do you mean by "system as a whole"?) > There is no such thing as a 10% untrusted system, it is like > being pregnant, either you are trusted or you are not. In this sense then, if you are phb:trusted with respect to some action/assertion, others are acting as if you were 100% phb:trust-worthy. That might not be true in reality, nor do others necessarily consider you 100% trust-worthy; they might consider you 99% trust-worthy but with respect to that action/assertion that action/acceptance is as if you were and you accept the 1% risk or indemnify it by other means (e.g., insurance, futures, etc.) Regardless, there's innumerable understandings of trust [1] that are further complicated by some of the odd ways in which we overload and use the term in English. Absent specific and shared definitions of these terms, I'd like to avoid the term all-together and substitute a more precise understanding of what we are trying to say in its place. To that end, I'm glad we've stopped speaking of locate and validate as "trust services." I've tweaked the text in 3.3 to further this.. 3.3 Using Locate and Validate The Locate and Validate operations are both used to obtain information about a public key from an XKMS Service. Locate and Validate services are both expected to attempt to provide correct information to the requestor. They differ in the extent to which the service endeavors to ascertain, and consequently vouch for, the accuracy of the information returned. A Location service will return information that is to the best of its knowledge accurate. A Validation service will perform additional processing such as cryptographic validation over statements and policies under some definition of trust/validity such as [insert favorite: PGP's web of trust, OCSP, etc.] Information obtained from a Locate service can not be consider reliable. This can be remedied by forwarding the data to a Validate service or by performing the necessary processing locally. For example a Locate Service might act as an aggregator of public key related information obtained from a variety of sources without performing any checks to determine whether specific information is current or establishing any formal trust policy. Such a service would correspond to the role of a directory in a traditional PKI. A Validate service might provide a service that validates key information presented to it but does not provide aggregation services. An email client might use a pair of such services in combination to obtain a valid public key for the intended recipient of an encrypted email by first querying the Locate service and then forward the information received to a Validate service (Figure 4).
Received on Wednesday, 18 December 2002 15:02:43 UTC