Re: Questions reg. XKMS spec from Kenneth Jensen on 2005-05-19 (www-xkms@w3.org from May 2005)

From: Kenneth Jensen <xmlsec@gmail.com>
Date: Thu, 19 May 2005 20:11:07 +0200
To: www-xkms@w3.org
Message-ID: <c3f7464b0505191111357545bf@mail.gmail.com>

On 5/19/05, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:

> I'd imagine that one of the main modes-of-operation for xkms would
> be where a client has a configured responder that it trusts for
> pretty much everything. In that case, if the client receives a
> ds:Signature just containing a ds:KeyValue, then it can do a
> validate on the ds:KeyInfo and request the responder to return
> a binding. Its only when the binding comes back that the client
> gets to see what it can treat as an authenticated identity for
> the signer.

OK.
I hadn't thought of using XKMS for that kind of "reverse lookup", but
it's a nice feature.

I guess I had a vague idea of XKMS as a more universal, interconnected
system, where a requester could either ask its own local XKMS service
and let that relay queries to its peers,. Or the requester could go
directly to the service "most likely" to know of a given key, based on
keyname+DNS or information about the target identifier for the key,
also resolved via DNS.

I have yet another question regarding a "use case" of XKMS. It relates
to the section 4.1.2 in the spec, in which the example shows a
requester sending a X.509 cert to a service, which then responds with
the keyvalue and the key purposes. The text says, that the service
does not report the revocation status of the certificate.

Is it understood that the certificate in the example is actually
registered in a binding with the responding service, and if so, isn't
the service /supposed not to respond/ with a revoked
certificate/binding?

What I'm wondering is, whether it is an intended usage for XKMS, to
let a service process arbitrary certificates that are not registered,
with the purpose of providing a sort of "certificate interpretation"
service for clients?

If a request contains just a certificate, along with RespondWith
elements identifying only information to be found *in* the
certificate, such a service could be provided regardless of the
registered bindings in the repository.

---
Cheers,
Kenneth

PS: I apologize for mailing directly to you, Stephen. I accidentally
pressed the wrong reply button. :)

Received on Thursday, 19 May 2005 18:11:15 UTC