[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [dss] Core protocol: is the <Status> element the status of what has been validated ?
Trevor,
First of all, I agreee that the proposal I made was breaking the
core-options separation,
specially when speaking of the Reports... What I have in mind (and I did
not make clear
in that message) is that these Reports can be part of the Options... sorry
about that.
I tried to illustrate that we should define as part of the Options a
Reports mechanism
that could give different levels of information....
Second, I agree with the fact that the first level of our protocol has this
architecture:
some required elements and an Options element containing all the options.
Now, where I think we disagree is on the extent of the Status element...
>
>In the requirements doc (3.7.2) it says "the client may request that the
>signature be verified at a point in the past". Which sounds like an Option
>on the Verify Request, not the Response.
>
>If the client doesn't send such an Option, I assume the server should just
>validate for the current time. So do we need to return something like this
>in the response?
>
I see: you leave to the client the responsability of taking note of that
fact...
>
>
>That was just following SAML.
>
I have seen that XKMS does also use it
>>
>><xs:simpleType name="ResultValueType">
>> <xs:restriction base="xs:string">
>> <xs:enumeration value="Success"/>
>> <xs:enumeration value="Failure"/>
>> <xs:enumeration value="Refused"/>
>> </xs:restriction>
>></xs:simpleType>
>>
>><xs:simpleType name="CodeErrorType">
>> <xs:restriction base="xs:string">
>> <xs:enumeration value="InternalError"/>
>> <xs:enumeration value="UntrustedToken"/>
>> <xs:enumeration value="UnrecognizedToken"/>
>> <xs:enumeration value="UserNoAuthorized"/>
>> <xs:enumeration value="Request error"/>
>> </xs:restriction>
>></xs:simpleType>
>>
Do you agree in that these situations deserve some coding?
>I still kinda like re-using the <Status> to say whether the signature
>succeeded or failed. It just gives a nice symmetry to things. Both the
>Sign and Request protocols send <Options> and receive <Status> and
><Outputs>, and the only difference is that the sign protocol receives a
><Signature>, and the verify protocol sends one:
I would not call that re-using, but enlarging its semantics. IF you
still see Status as an element without inner structure, ie, one
whose value is a QName from a repertory I think that we are mixing two
different
meanings.....For me re-using is to take a previously defined element and
using it as part of a new structure keeping its semantics...
I do not like very much tags that seem to say something and in fact contain
two types of information.
Generally speaking, when somebody mentions "status" in a verification process
I always think in the status of a certificate or whether the signature is
valid or not,
unless the "status" is followed by something like "the server has reached".
So, I contend that we should clearly separate both issues, in different
elements:
1. Whether the server could process the request of the client.
2. Whether the server found valid or unvalid the signature.
Because they are denoting completely different things and in consequence
they can fire in the client's side completely different actions!!!
I propose you the following:
<xs:element name="SignResponse">
<xs:complexType>
<xs:sequence>
<xs:element ref="dss:Result"/>
<xs:element ref="dss:Signature" minOccurs="0"/>
<xs:element ref="dss:Outputs" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="VerifyResponse">
<xs:complexType>
<xs:sequence>
<xs:element ref="dss:Result"/>
<xs:element ref="dss:Outputs" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
And then define a Result having two different elements:
<xs:element name="Result" type="ResultType"/>
<xs:complexType name="ResultType">
<xs:sequence>
<xs:element ref="ServerProcessingResult">
<xs:element ref="Status" minOccurs="0">
<xs:sequence/>
</xs:complexType>
---> I am using named types just because I remember better the
syntax...
Now, both elements would have a different repertory of predefined values, the
symmetry would remain at the first level, the tags would be better aligned
with their
contents and different informations would appear in different places...
Juan Carlos.
>
>Trevor
>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]