Re: thy tiers might cease... from Joseph Reagle on 2002-03-08 (www-xkms@w3.org from March 2002)

From: Joseph Reagle <reagle@w3.org>
Date: Fri, 8 Mar 2002 10:09:57 -0500
To: Rich Salz <rsalz@zolera.com>
Cc: stephen.farrell@baltimore.ie, www-xkms@w3.org
Message-Id: <200203081509.KAA04184@tux.w3.org>

On Thursday 07 March 2002 19:21, Rich Salz wrote:
> I understand, and it is kinda neat (I assume that's a typo in your
> example, and it should be <ds:Signature/>).

Yes.

>  HOWEVER, in a conventional
> PKI, Locate is usually served by a directory such as LDAP; LDAP
> directories do not sign their response.  

However, in the example in XKMS  (Tier 1) the example of the Locate service 
is for a KeyValue. So I may want to have a signature on the result of the 
locate service! I don't think the XKMS spec is mistaken to show one doing a 
locate for a KeyValue either. So I don't think one can use the sole 
existence of a signature as the difference between locate and validate. (I 
believe the difference is whether you are asking for the KeyBinding info.)

>Validate, on the other hand, is
> done by things like OCSP (which do) or the Identrus RM. :)
>
> Locate doesn't need a signature, because you can ask for the cert which
> is itself signed. Validation is making more abstract statements about
> the cert/key, and a relying party will probably require the entity
> responding to sign things.
>
> Does that help?

Sort of. I'm sure different bits of conventional PKI mean and do various 
things, but for *this* spec I'm still confused about the word "validate". 
The XKMS specification says, "Clients SHOULD ensure that the response from 
the service to a Locate or Validate operation is valid, meaning that the 
following criteria are met." and then it speaks of authenticity, integrity, 
and correspondence. And how this is achieved is up to the application (via 
xmldsig, SSL, or IPSET for example) -- and rightly so.

While I know what XML Signature validation is [1], in XKMS it appears the 
word (in lower case) means the authenticity, integrity and correspondence 
(a characteristic of the protocol), and I still don't know what the upper 
case Validate means.

[1] http://www.w3.org/TR/xmldsig-core/#def-ValidationSignature

-- 

Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/

Received on Friday, 8 March 2002 10:10:01 UTC