Questions on latest XKMS draft

Hi;

After looking over the latest Editor's Copy I have the following questions.
Some of these may just be misunderstandings and/or issues that are in the
process of being resolved.

1)  It's not clear what the purpose of the <Service> element is.  Why must
it be included in a request and why must it be verified?  Is it simply to
verify that the request was meant for the receiving service and hasn't been
redirected from some other service?  If so, then this problem is not always
a concern in all environments and requiring it may actually cause some
problems.  In some environments the URL seen by the client will not be the
same URL of the consuming service.  In fact, the service may support many
different service URLs making this check more of a nuisance than anything.

2)  What is purpose of QueryKeyBinding.Id?  How should a service handle it?
I see no value in this field.

3)  If a collection of certs are contained in a <KeyInfo>, is it to be
treated as a cert chain which must be validated?  Or is it valid to consider
them, as in S/MIME, as just a collection of certificates which may, or may
not, be sufficient to build a certificate chain?

4)  The <RequestSignatureValue> element is to be used when the
<ds:Signature> element is included in the request.  However, it is unclear
if it can only be used with an application level signature, or if it can
also be used with a WS-Security signature.  In Section 5.1 of Part II, the
table indicates that the Message/RequestID is used for Request/Response
Correspondence of variant II, however I think it should probably be the
<RequestSignatureValue> element that is listed here.  Also in this table,
the Request/MessageDigest element is listed as providing Request/Response
Correspondence for variant I, however I can't find this element anywhere.

Thanks,

	Robert Zuccherato.