- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Thu, 19 May 2005 12:46:11 +0100
- To: Kenneth Jensen <xmlsec@gmail.com>
- Cc: www-xkms@w3.org
Kenneth, > And if my application only knows the value of the key, how will it > know which XKMS service to ask for more information? I'm sorry if I > seem a bit blind on this... No problem. I'd imagine that one of the main modes-of-operation for xkms would be where a client has a configured responder that it trusts for pretty much everything. In that case, if the client receives a ds:Signature just containing a ds:KeyValue, then it can do a validate on the ds:KeyInfo and request the responder to return a binding. Its only when the binding comes back that the client gets to see what it can treat as an authenticated identity for the signer. Nice side effect: if the xkms responder is not just a dumb x.509 front-end, then the signer and verifier don't have to use the same name for the signer! One less thing to break interop. Stephen.
Received on Thursday, 19 May 2005 11:42:30 UTC