- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Thu, 27 Jan 2005 10:22:18 +0000
- To: Seung-wook Jung <seung-wook.jung@uni-siegen.de>
- Cc: www-xkms@w3.org
Hi, XKMS can certainly support any applications which use XAdES, and there are plenty of valid ways to do that. Here's one from the archive of this list [1] from a bit more than a year ago. As to the rest of your mail: we clearly disagree as to whether or not N-R is a sensible key usage: you think it is, I don't - and that's fine, since we don't need to agree! The XKMS WG concensus, which is what matters here, is, was always, and I guess will continue to be that N-R is not treated as a key usage, and further, that the WG will attempt to prevent people making the mistake of thinking N-R is a key usage, by making it very hard to extend key usage. Check the archives and meeting minutes and you'll see repeated assertions to this effect. You should also go check the archives of the PKIX list to see just where you end up considering N-R as a key usage (e.g. [2] is one of the many recurring threads there over the years). Feel free to take that up on the PKIX list if you like but this list is not the appropriate place for such discussion. Stephen. [1] http://lists.w3.org/Archives/Public/www-xkms/2003Dec/0005.html [2] http://www.imc.org/ietf-pkix/old-archive-01/thrd4.html#01025 Seung-wook Jung wrote: > Dears, > > <stephen farrell wrote:> > >>These three are afaik the only *cryptographically relevant* >>key usages in widespread use. > > >>We explicitly decided not to ever mention, nor conisder the N-R >>thing. (Also note that x.509 is moving slowly that way too, >>that bit will be called "contentCommitment" in future ITU-T >>docs, whatever that means.) > > >>Basically, we don't discuss N-R in XKMS. Its not a >>cryptographic operation. See the many, many pkix mails >>on this topic for why. If you still want to talk about >>N-R, I'd suggest looking to the ABA or maybe the ETSI >>group who believe in such things. > > </stephen farrell wrote:> > > IMHO, the standards must be extensible or generalized, it does not > limited only for widespread usage at this moment. > Also, the extensibility is a virtual of eXtensible Markup Language. > The key usage can be divided cryptographic service, mechanism, > and whatsoever according to the policy of organization. > In that sense, KeyUsageType in XKMS schema is too limited to be extensible or > too coarse-grained. > > <seung-wook jung wrote> > >>>How do you sure that any XKMS users will not sign over a >>>hash value of a document, which says you give me 10000$, >>>rather than a random challenge by challenge-response protocol? > > </seung-wook jung wrote> > > <stephen farrell answered:> > >>That's not relevant for XKMS. Applications which care, must >>care themselves. An xkms responder implementation/configuration >>which cares, can do so without affecting the protocol, e.g. via >>UseKeyWith or any other preferred mechanism (e.g. different >>responder URLs or some ad-hoc implementation wizardry). In >>any case, there's no way the xkms protocol can check or >>enforce what the document signature covers - you just have >>to depend on the application for that. > > </stephen farrell answered:> > > Of course, XKMS protocols itself cannot check or enforce what you can sign. > IMHO, XKMS should not be limited to only authentication with digital signature mechanism. > At the same time, XKMS should not consider all possible applications such as XAdES. > Therefore, what I wanted to say was how the security whole can be made due to the coarse-grained > or un-extensible key usages. Also, coarse-grained and limited key usages makes ambiguous. > > IMHO, the keyusage includes N-R or extensible in order to more clarify usage of key > and make the key usage independent on applications according to policy of trust third party. > > Best Regards, > S. Jung > > ========================================================== > Seung-Wook Jung > > University of Siegen > - Institute for Data Communications Systems - > > Hoelderlinstrasse 3 > D-57068 Siegen / Germany > Phone: +49-271-740-2332 > Fax: +49-271-740-2536 > e-mail: seung-wook.jung@uni-siegen.de > URL: http://www.dcs.uni-siegen.de > ============================================================
Received on Thursday, 27 January 2005 10:22:07 UTC