Re: Question about Locate Service from Yassir Elley - Sun Microsystems on 2002-01-18 (www-xkms@w3.org from January 2002)

From: Yassir Elley - Sun Microsystems <Yassir.Elley@sun.com>
Date: Fri, 18 Jan 2002 17:04:47 -0500 (EST)
To: Yassir.Elley@sun.com, stephen.farrell@baltimore.ie
Cc: www-xkms@w3.org
Message-Id: <200201182204.RAA17940@bcn.East.Sun.COM>

Stephen,

I am not sure I understand the second option you suggest.
Are you suggesting that the client would send a KeyName of Alice
to the Locate Service and would request a Certificate and the
Locate Service would return several Certificates for Alice
and the client would then select one of the certificates that
contained Alice's encryption key and send that to the Validate service?
If so, wouldn't it be simpler just to call the Validate service and
request a particular KeyUsage (of Encryption)? If this is not what
you are suggesting, could you clarify?

I also do not understand the Data Encryption example for a Locate
service in the spec. Why would the client just want an unvalidated
KeyName and KeyValue for Alice? What is the client going to do with
that information? He is certainly not going to use it to send
an encrypted document since he has no idea if this is really Alice's
key or if it is valid.

Thanks,
Yassir.

	Resent-Date: Fri, 18 Jan 2002 11:03:49 -0500 (EST)
	Resent-Message-Id: <200201181603.LAA03220@www19.w3.org>
	From: Stephen Farrell <stephen.farrell@baltimore.ie>
	X-Accept-Language: en
	MIME-Version: 1.0
	To: Yassir Elley - Sun Microsystems <Yassir.Elley@sun.com>
	CC: www-xkms@w3.org
	Content-Transfer-Encoding: 7bit
	Subject: Re: Question about Locate Service
	Resent-From: www-xkms@w3.org
	X-Mailing-List: <www-xkms@w3.org> archive/latest/52
	X-Loop: www-xkms@w3.org
	Resent-Sender: www-xkms-request@w3.org
	List-Id: <www-xkms.w3.org>
	List-Help: <http://www.w3.org/Mail/>
	List-Unsubscribe: <mailto:www-xkms-request@w3.org?subject=unsubscribe>
	
	
	Yassir,
	
	I can see two functions that locate can perform. The one you mention:
	
	> I could understand if the client asked the Locate service to return an
	> X509 certificate or chain of certificates, and then the client did the
	> validation himself. Is that the intended usage of the Locate service?
	
	one variant of which is called DPD in the IETF PKIX context and secondly
	I can also imagine a client using a locate on a name, getting a (set of)
	KeyInfo elements, picking one, and then doing a validate (say prior to
	encryption). I'm not sure if others are considering this latter case, 
	but I think it might be useful.
	
	Stephen.
	
	-- 
	____________________________________________________________
	Stephen Farrell         				   
	Baltimore Technologies,   tel: (direct line) +353 1 881 6716
	39 Parkgate Street,                     fax: +353 1 881 7000
	Dublin 8.                mailto:stephen.farrell@baltimore.ie
	Ireland                             http://www.baltimore.com

Received on Friday, 18 January 2002 17:04:35 UTC