W3C home > Mailing lists > Public > www-xkms@w3.org > February 2003

Re: Issue Query Key binding

From: Slava Galperin <slava.galperin@sun.com>
Date: Wed, 19 Feb 2003 12:07:02 -0800
Message-ID: <3E53E3E6.A3EFD0F1@sun.com>
To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
CC: "Www-Xkms (E-mail)" <www-xkms@w3.org>
I am ok with adoption of the "superset" rule from my earlier
as fixed matching rule for QueryKeyBinding for both ValidateRequest and

I have the following additional comments:

1. I propose that we explicitly disallow both KeyInfo and UseKeyWith to
be absent in QueryKeyBinding. (This will eliminate ambiguity for an
implementer on how to handle this corner case)

2. Why is KeyUsage not part of the matching ? If we do not match on it
we should not make it part of QueryKeyBinding.

3. We still need to explicitly formulate matching rule for KeyBinding
used as a selection criteria in Reissue/Revoke/Recover.

     Using a single fixed matching rule (such as, for example,
     "superset" rule we decided to use for QueryKeyBinding) may not
     be precise enough for Reissue/Revoke case as it will result in
     reissuing/revoking of more bindings than intended (e.g., it
     may not be possible to revoke a specific individual binding
     separately from other bindings which also match).

     We may also want to constrain KeyBinding used with Recover
     request to only include KeyInfo (or use KeyInfo directly
     instead of KeyBinding as a selector for Recover request) since
     Recover operation actually applies to the key value, not the

"Hallam-Baker, Phillip" wrote:

> I  am attempting to deal with the matching rules. What should we
> specify, exact match, best guess? Should the result match all the
> terms or match any of the terms?
> In the past we discussed a match flag, is this really necessary? I
> hope not.
> Do we need to do more than this?
> Element <QueryKeyBinding>
> The <QueryKeyBinding> element is derived from
> the KeyBindingAbstractType and is used to perform a query that results
> in the return of one or more matching key bindings.
> A key binding matches the QueryKeyBinding if:
>    * The key binding contains all the <UseKeyWith> elements contained
>      in the query, and
>    * The key binding contains all the <KeyInfo> elements contained in
>      the query
> The <QueryKeyBinding> element extends the KeyBindingAbstractType with
> the following additional elements:
>      <TimeInstant> [Optional]
>           The Time Instant for which the query is made. If no
>           time instant is specified the default is the time the
>           request was made.
> The following schema defines the <QueryKeyBinding> element
> and KeyBindingType:
Slava Galperin

"It is difficult to catch a black cat in a dark room. Especially if
there is no cat there."
 - Confucius
Received on Wednesday, 19 February 2003 15:07:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 23:07:23 UTC