W3C home > Mailing lists > Public > www-xkms@w3.org > December 2005

Re: Determinig Server o Client use in XKMS

From: Vicente D. Guardiola Buitrago <vicentedavid81@yahoo.es>
Date: Fri, 02 Dec 2005 19:11:31 +0100
Message-ID: <43908E53.7040007@yahoo.es>
To: www-xkms@w3.org


I've been thinking about the solution you gave me in this e-mail but I
want to give another situation: HTTPS.

In HTTPS the Server/Client roles are clearly differentiated. Then, in 
the case I want
to make a registation request for a Certificate to use in HTTPS, I need 
to know if
it will be used as server or client.

According your recommendation, I have to publish the service in a URL in 
clients request for HTTPS Server Certificates and another in which 
clients request for
HTTPS Client Certificates. But, in this situation, every client that 
wants to use my service
have to know that depending on the requested data they have to use 
different URLs,
so a client has to be aware about this kind of  peculiarities that 
depend on
the concrete XKMS server.

Are we right on this approach?? should we continue in this direction or 
address the problem in a different way??

Thanks a lot,

Vicente D. Guardiola
University of Murcia (Spain)

Stephen Farrell wrote:

> I guess you could either define a new UseKeyWith for a VPN g/w
> (is this really for tunnel mode g/w? there aren't really any
> clients/servers for IPsec are there.)
> Or, just configure different service URLs the responder, so
> that requests to one use profile A, whereas requests to the
> other use profile B.
> 2nd one should be easier I guess, so long as the same entity
> isn't playing both IPsec "roles" at different times.
> S.
> Vicente D. Guardiola Buitrago wrote:
>> Hello,
>> I'm implementing a XKMS Server and I've a doubt.
>> My underlying PKI is based on X.509 Certificate, and the problem 
>> raises when I have to check the KeyUsage and UseKeyWith for the 
>> requested Key binding in the found certificates. For instance, let be 
>> a Request with a UseKeyWith for IPSEC with IP A.B.C.D  and KeyUsage 
>> Signature and Excryption. This is a typical request, but in X.509 
>> Certificate I need to know if the certificate is going to be used in 
>> a Client or a Server, because the necessary extensions are different 
>> in either situation.
>> Then, the question is, how can I determine if a request is for a 
>> Client or a Server?
>> Thanks,
>> Vicente Guardiola
>> University of Murcia (Spain)

Renovamos el Correo Yahoo! 
Nuevos servicios, más seguridad 
Received on Friday, 2 December 2005 18:17:51 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:31:44 UTC