- From: Slava Galperin <slava.galperin@sun.com>
- Date: Wed, 18 Dec 2002 16:02:19 -0800
- To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
- CC: Joseph Reagle <reagle@w3.org>, "Www-Xkms (E-mail)" <www-xkms@w3.org>
"Hallam-Baker, Phillip" wrote:
>
> It is also the model that meets the original goal of shielding
> the client from the horrors of PKI. The model I have been
> promoting is the Client asks the validate service for a key
> and the validate service then grovels through whatever databases,
> DNS, directories, Locate services etc it needs to get the
> answer.
>
> If you have a client that is already PKI litterate then the
> locate service makes a lot of sense since chain building
> is hard while chain validation is relatively straightforward.
> That way you still get your traditional end to end security.
>
> The mixed model of do a locate first then throw the data at
> a validate service makes much less sense to me. I know people
> think it is a winner but I don't see that myself. Why have the
> client be a blind relay when the service can do the job for it?
I completely agree with the above (I apologize if it was not clear in my
original question).
I did not question the need for a separate Locate service to support the
use case for Locate + local validation.
I was questioning the "Locate followed by Validate" scenario where a single
Validate request could be used instead.
--
Slava Galperin mailto:slava.galperin@sun.com
For in much wisdom is much grief: and he that increaseth knowledge
increaseth sorrow.
(Ecclesiastes
1:18)
Received on Wednesday, 18 December 2002 19:02:24 UTC