- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Mon, 06 Dec 2004 09:42:34 +0000
- To: jose.kahan@w3.org
- Cc: www-xkms@w3.org
Jose, Not dumb at all. Jose Kahan wrote: > XKMS Locate and Validate can be used to extract the public-key component > found in a certificate. The goal is to remove the burden of certificate s/The goal/One goal/ above and that's right, e.g. we're also trying to be xmldsig friendly (unlike say scvp;-) > parsing from applications by delegating it to an XKMS server. > > I was wondering why XKMS doesn't convert between different certificates. > For example, suppose that I have an X509 certificate pubkey certificate > and a PGP signed message with the correspondent private key. That's an implementation matter isn't it. There's nothing at all to stop an xkms responder implementer from providing this service, it would simply advertise that it can accept x,y & z forms of keyInfo as input and produce r,s and t forms as output. With PGP and X.509 there're really no serious semantic differences so long as you don't take revocation too seriously (and presumably you don't if you're using an x.509 key with a PGP appn. or v-v). If you tried to do x.509/pgp vs. spki then there might be more issues, but then again no one seems to use spki. Stephen. PS: Wouldn't be the 1st time this's been done - we did it for an internal PKI when I worked with a large German company, 'cause there were some biz. units that insisted on PGP and there was a desire to have a single PKI. Wasn't hard at all, we just generated PGP keyrings in the x.509 PKI, so the same smartcard worked with both sets of appns. > > If I am using a PGP tool to verify the signature, I could use XKMS to > extract the pubkey from the X509 certificate, but then I'd need to do > some kind of hack in order to use this key with my PGP tool, like > converting it to a PGP pubkey certificate or adding hooks to the place > where it uses the pubkey. > > If XKMS were to convert the X509 certificate into a PGP one, I wouldn't > need to hack my tool. > > Maybe I'm missing something or maybe it's not possible to convert > between certificates because they have not the same semantics or some > issue related to the signing of the certificate. > > I was just wondering how feasible it could be to integrate XKMS > with off-the-shelf applications. > > -jose
Received on Monday, 6 December 2004 09:38:51 UTC