- From: Ed Simon <edsimon@xmlsec.com>
- Date: Fri, 28 Jun 2002 09:04:36 -0400
- To: <stef.hoeben@utimaco.be>
- Cc: <www-xkms@w3.org>
Stef wrote: > Could you tell me is it ("checking if a cert is valid some > > time ago"-ed.) is possible to do the above using > the current XKMS 'Validate) service(s)? Yes, I would say it is. You can use the Validate service for the certificate in question and the Validate service can choose to return a status code of Invalid with a <ValidityInterval> element indicating the certificate has already expired and when that happened. Stef wrote: > If you doubt if an XKMS service should provide it, do you mean > that the client should do all the work, of that it should not > be part of XKMS? I'm not making any statement on whether an XKMS service should or should not provide such functionality; that decision is really up to the business model of the particular XKMS service and is completely outside the scope of the spec. What the spec does say is "If the Reason code ValidityInterval is returned with a Status code of Invalid additional information MAY be provided in the <ValidityInterval> element of the KeyBinding. If only the NotOnOrAfter attribute is specified it indicates that the specified time instant is before the credential became valid. If only the NotAfter attribute is specified it indicates that either the credential expired or was revoked. If both the NotOnOrAfter and NotAfter attributes are specified it is likely that the credential was suspended and MAY be reinstated at a later time." So in summary, XKMS does enable the functionality you describe but does not mandate it. The good news is that if an XKMS service does not provide the service then it is easy for the client to determine that. I do not really see how the client would "do all the work" if it needs to deal with one or more XKMS services that do not provide validity intervals for expired certificates. It seems to me that would require the client to ping the XKMS Validate service for all certificates that the client might ever need to use before any of those certificates have a chance to expire, which does not seem very practical to me. Regard, Ed ---------------------------------------------------------------------------- ------------------------------------------- Ed Simon <edsimon@xmlsec.com> (613) 726-9645 XMLsec Inc. Interested in XML Security Training and Consulting services? Visit "www.xmlsec.com". > > > ... checking and so on. As well, XKMS could be used as the > > basis for such things as "checking if a cert is valid some > > time ago" though I can't say if that type of functionality > > would necessarily be provided by an XKMS service provider. > > Could you tell me is it is possible to do the above using > the current XKMS 'Validate) service(s)? > > If you doubt if an XKMS service should provide it, do you mean > that the client should do all the work, of that it should not > be part of XKMS? > > Thanks, Stef > > >
Received on Friday, 28 June 2002 09:01:44 UTC