- From: Yassir Elley - Sun Microsystems <Yassir.Elley@sun.com>
- Date: Fri, 18 Jan 2002 16:49:09 -0500 (EST)
- To: stephen.farrell@baltimore.ie, Yassir.Elley@sun.com, pbaker@verisign.com
- Cc: www-xkms@w3.org
Phill, I am not sure this is a very compelling use case. This would only be useful if the signature did not verify with the public key in the certificate, because then the client would save the performance (and monetary) cost of a validation. However, in the common case, the signature probably will verify. So, in the common case, the client will be making two calls (a Locate followed by a Validate) and suffering the performance penalty of two calls, two round trips, etc, rather than just making a single Validate call. -Yassir. Resent-Date: Fri, 18 Jan 2002 11:16:42 -0500 (EST) Resent-Message-Id: <200201181616.LAA04603@www19.w3.org> From: "Hallam-Baker, Phillip" <pbaker@verisign.com> To: "'stephen.farrell@baltimore.ie'" <stephen.farrell@baltimore.ie>, Yassir Elley - Sun Microsystems <Yassir.Elley@sun.com> Cc: www-xkms@w3.org MIME-Version: 1.0 Subject: RE: Question about Locate Service Resent-From: www-xkms@w3.org X-Mailing-List: <www-xkms@w3.org> archive/latest/53 X-Loop: www-xkms@w3.org Resent-Sender: www-xkms-request@w3.org List-Id: <www-xkms.w3.org> List-Help: <http://www.w3.org/Mail/> List-Unsubscribe: <mailto:www-xkms-request@w3.org?subject=unsubscribe> In some circumstances a client may have a key that is trustworthy (or whose trustworthiness is not the issue) and merely want to have the locate service provide the key information. For example a transaction processor may receive a signed message with an attached X.509v3 certificate and query the locate service to obtain the public key parameters so that the signature verification can be performed. It is very likely that you would want to check the signature before you do the validation if you are paying a per validation fee. Phill > -----Original Message----- > From: Stephen Farrell [mailto:stephen.farrell@baltimore.ie] > Sent: Friday, January 18, 2002 11:04 AM > To: Yassir Elley - Sun Microsystems > Cc: www-xkms@w3.org > Subject: Re: Question about Locate Service > > > > Yassir, > > I can see two functions that locate can perform. The one you mention: > > > I could understand if the client asked the Locate service > to return an > > X509 certificate or chain of certificates, and then the > client did the > > validation himself. Is that the intended usage of the > Locate service? > > one variant of which is called DPD in the IETF PKIX context > and secondly > I can also imagine a client using a locate on a name, getting > a (set of) > KeyInfo elements, picking one, and then doing a validate (say prior to > encryption). I'm not sure if others are considering this latter case, > but I think it might be useful. > > Stephen. > > -- > ____________________________________________________________ > Stephen Farrell > Baltimore Technologies, tel: (direct line) +353 1 881 6716 > 39 Parkgate Street, fax: +353 1 881 7000 > Dublin 8. mailto:stephen.farrell@baltimore.ie > Ireland http://www.baltimore.com >
Received on Friday, 18 January 2002 16:49:26 UTC