Re: minutes online ... 11 may, 2004 telecon from tommy lindberg on 2004-05-19 (www-xkms@w3.org from May 2004)

From: tommy lindberg <lindberg_tommy@hotmail.com>
Date: Wed, 19 May 2004 15:25:37 +0000
To: stephen.farrell@cs.tcd.ie
Cc: www-xkms@w3.org
Message-ID: <BAY12-F79fnSvElkCIG00021d30@hotmail.com>

No, that was not my intention  -- thanks.

>From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
>To: tommy lindberg <lindberg_tommy@hotmail.com>
>Subject: Re: minutes online ... 11 may, 2004 telecon
>Date: Wed, 19 May 2004 16:09:29 +0100
>
>
>Tommy - did you want that off list?
>
>Why don't you re-send and I'll answer on the list.
>
>Stephen.
>
>tommy lindberg wrote:
>
>>
>>Hi Stephen -
>>
>>If the responder is not required to return both values when present in the 
>>underlying PKI then he is potentially giving the relying party an 
>>incorrect view of the validity interval.
>>
>>E.g. consider the case where both attributes are left out by the responder 
>>although they exist in the underlying PKI; according to paragraph [193] 
>>the relying party will think that the binding is valid at any time which 
>>is not what the PKI thinks.
>>
>>Regards
>>Tommy
>>
>>>From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
>>>To: tommy lindberg <lindberg_tommy@hotmail.com>
>>>CC: www-xkms@w3.org
>>>Subject: Re: minutes online ... 11 may, 2004 telecon
>>>Date: Wed, 19 May 2004 14:40:56 +0100
>>>
>>>
>>>
>>>Hi Tommy,
>>>
>>>>An XKMS service MAY indicate a key binding's validity interval using the
>>>><ValidityInterval> element as defined in 5.1.5 in [1].  This element has
>>>>two attributes of type xsd:dateTime, NotBefore and NotOnOrAfter, both
>>>>of which are optional.
>>>>
>>>>I imagine the attributes are optional for the purpose of supporting the
>>>>various flavors of PKI's mentioned in the specification.
>>>>
>>>>The way the text in 5.1.5 is formulated permits an XKMS service to 
>>>>specify
>>>>only one or neither of the boundary attributes even though their 
>>>>counterparts
>>>>exist in the underlying PKI.
>>>>
>>>>I propose that a relying party ought to be assured to get both 
>>>>attributes
>>>>when they exist in the underlying PKI.
>>>
>>>
>>>What breaks if we don't do that? Not much I'd guess since the
>>>RP has to be able to handle cases where stuff is missing. So I'd
>>>rather not impose such a new requirement on a responder (or did
>>>you mean something else by "be assured"?)
>>>
>>>Stephen.
>>>
>>
>>_________________________________________________________________
>>Express yourself with the new version of MSN Messenger! Download today - 
>>it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. 
http://join.msn.com/?page=features/virus

Received on Wednesday, 19 May 2004 11:26:33 UTC