- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Mon, 23 May 2005 12:53:41 +0100
- To: Kenneth Jensen <xmlsec@gmail.com>
- Cc: www-xkms@w3.org
> I have yet another question regarding a "use case" of XKMS. It relates > to the section 4.1.2 in the spec, in which the example shows a > requester sending a X.509 cert to a service, which then responds with > the keyvalue and the key purposes. The text says, that the service > does not report the revocation status of the certificate. Which is fair enough, if that's what the service said it would do. > Is it understood that the certificate in the example is actually > registered in a binding with the responding service, and if so, isn't > the service /supposed not to respond/ with a revoked > certificate/binding? All "policy" stuff. And reasonable too for a couple of reasons: - IMO the actual probability of getting good status information on a cert you come across in the wild is fairly small, - Many applications have their own revocation concept and therefore don't care very much what the CA says about cert status. > What I'm wondering is, whether it is an intended usage for XKMS, to > let a service process arbitrary certificates that are not registered, > with the purpose of providing a sort of "certificate interpretation" > service for clients? "Policy" again:-) > If a request contains just a certificate, along with RespondWith > elements identifying only information to be found *in* the > certificate, such a service could be provided regardless of the > registered bindings in the repository. Sure. In the limit, the server could simply be an x.509 to ds:KeyInfo translator with no "PKI trust" required at all! Say if the application doesn't care who you are, only that you're the same entity (*) as last time. (*) More properly stated: You're an entity that demonstrates use of the private key to produce a signature verifiable with the same public key as last time. Stephen.
Received on Monday, 23 May 2005 11:49:45 UTC