- From: Yassir Elley - Sun Microsystems <Yassir.Elley@Sun.COM>
- Date: Thu, 17 Jan 2002 16:28:59 -0500 (EST)
- To: www-xkms@w3.org
I'm a little confused as to a typical use case for the Locate service. The spec says that "Tier 1: Processing of the <ds:KeyInfo> element by the application is delegated to a service. The service returns a <ds:KeyInfo> element that describes a public key meeting the criteria specified by the client application. Validation of the <ds:KeyInfo> is performed by the client." In the Document Signature and Data Encryption examples, the client requests a KeyName and KeyValue for Alice to be returned. The Locate service returns a <ds:KeyInfo> with a KeyName and KeyValue. From my understanding, at this point, the client has no idea whether the KeyValue returned by the Locate service is or ever was the public key for Alice, since we do "NOT REQUIRE the service to make an assertion containing the validity of the binding between the data in the <ds:KeyInfo> element." The client is supposed to validate the KeyInfo that is returned. How is the client going to do this with just these values? The client will probably have to build and validate a chain of certificates himself to find out what Alice's public key is. What is the usefulness of the Locate service here? I could understand if the client asked the Locate service to return an X509 certificate or chain of certificates, and then the client did the validation himself. Is that the intended usage of the Locate service? Thanks, Yassir.
Received on Thursday, 17 January 2002 16:28:44 UTC