W3C home > Mailing lists > Public > www-xkms@w3.org > March 2002

Re: thy tiers might cease...

From: Rich Salz <rsalz@zolera.com>
Date: Thu, 07 Mar 2002 19:21:18 -0500
Message-ID: <3C8803FE.BA9EF815@zolera.com>
To: reagle@w3.org
CC: stephen.farrell@baltimore.ie, www-xkms@w3.org
I understand, and it is kinda neat (I assume that's a typo in your
example, and it should be <ds:Signature/>).  HOWEVER, in a conventional
PKI, Locate is usually served by a directory such as LDAP; LDAP
directories do not sign their response.  Validate, on the other hand, is
done by things like OCSP (which do) or the Identrus RM. :)

Locate doesn't need a signature, because you can ask for the cert which
is itself signed. Validation is making more abstract statements about
the cert/key, and a relying party will probably require the entity
responding to sign things.

Does that help?
	/r$
-- 
Zolera Systems, Securing web services (XML, SOAP, Signatures,
Encryption)
http://www.zolera.com
Received on Thursday, 7 March 2002 19:21:41 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:31:38 UTC