Further edits from Hallam-Baker, Phillip on 2002-09-26 (www-xkms@w3.org from September 2002)

From: Hallam-Baker, Phillip <pbaker@verisign.com>
Date: Wed, 25 Sep 2002 18:50:57 -0700
To: "Www-Xkms (E-mail)" <www-xkms@w3.org>
Message-ID: <2F3EC696EAEED311BB2D009027C3F4F40E6B24D0@vhqpostal.verisign.com>

 
Current state of play as I make it:
 
Schema issues (fixed in schema not in spec)  8
Issues to do with asynchronous processing     4
Last Minute fix issues                                    4
Other Issues                                                19
 
 
The latest changes:
 
(3)     Done
 
(8)    Done, text follows:
 
If a key usage is specified in a KeyBinding that the cryptographic algorithm
associated with the key does not support the element MUST be ignored. If a
key usage is specified in a QueryKeyBinding however the key usage forms part
of the criteria the service should attempt to match.

For example if a KeyBinding specifies the key usage xkms:Encryption for a
Digital Signature Algorithm key the relying application should ignore the
key usage element. If however a client makes a request that contains a
QueryKeyBinding that specifies the key usage encryption the service should
not return a Digital Signature Algorithm key.

(24)    Done


Confidentiality of Opaque Client Data


Clients SHOULD NOT send confidential or privacy sensitive data to a Trust
Service as Opaque Data unless it is encrypted such that it is not disclosed
to the service.

Examples of confidential data include internal program indices such as
pointers which might permit a malicious party with access to an XKMS service
or its audit logs to perform an attack based on knowledge of the internal
state of the client.

(36) Done, left SOAP reference and added in an XMLP reference

XMLP[XMLP] XML Protocol Working Group, http://www.w3.org/2000/xp/Group/
<http://www.w3.org/2000/xp/Group/> 

(52)    Done

(56)    Done in part - this needs a cleanup pass after I have redone the
async/sync processing issues etc.

(62)    Done

The double MAC calculation ensures that the <RevocationCode> value may be
sent as plaintext without the risk of disclosing a value which might have
been used by the end-user as a password in another context. A second
advantage of employing the double MAC calculation is that it ensures XKMS
service do not place arbitrary constraints on the length of or character set
in which the pass phrase is encoded.

(65) Done.

A client MAY use Opaque client data in conjunction with asynchronous request
processing to match a responses to the original request context. Opaque
client data MAY also be used in conjunction with synchronous request
processing to provide context information for purposes such as audit trail
reconciliation.

(66) Done, added in the following explanatory text and fixed the table.

RespondWith values are specified as QNames, the following identifiers are
defined:

Also fixed the Result Codes (major, minor), reason codes

Received on Wednesday, 25 September 2002 21:49:15 UTC