[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [dss] FW: XML Key Management Specification Last Call - needreview/feed back
At 10:55 AM 4/21/2003 -0400, Robert Zuccherato wrote: >I received the following message from Shivaram Mysore, one of the chairs of >the XKMS WG. The XKMS specification has entered its last call process. Are >there any comments that we, as a TC, wish to make to the XKMS WG? It would be nice if the public key used by an (identified requestor / single key pair) DSS service could be registered and located. For example, suppose Acme.com has a DSS service that it trusts to sign for Alice@Acme.com. Suppose this DSS service has a single key pair, and when it signs, it adds "Alice@Acme.com" as a signed attribute to identify the requestor. You'd like to be able to query the Acme.com XKMS service for Alice@Acme.com, and retrieve the DSS service's key. However, the XKMS service wouldn't want to say "this is Alice's signature key", cause that's untrue - you can't assume everything signed by this key is from Alice. Instead, the XKMS service would need to say "this is Alice's *delegated* signature key", indicating that if you receive a signature signed by this key *and* with Alice's name as a signed attribute, only then you should assume the signature was produced under Alice's control. I think this could be done by adding a new "DelegatedSignature" value to the <KeyUsage> element: <KeyUsage>DelegatedSignature</KeyUsage>. We could at least ask them about something like this. Trevor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]