Re: [dss] FW: XML Key Management Specification Last Call - needreview/feed back

[Trevor Perrin <trevp@trevp.net>]

At 10:55 AM 4/21/2003 -0400, Robert Zuccherato wrote:

>I received the following message from Shivaram Mysore, one of the chairs of
>the XKMS WG.  The XKMS specification has entered its last call process.  Are
>there any comments that we, as a TC, wish to make to the XKMS WG?

It would be nice if the public key used by an (identified requestor / 
single key pair) DSS service could be registered and located.

For example, suppose Acme.com has a DSS service that it trusts to sign for 
Alice@Acme.com.  Suppose this DSS service has a single key pair, and when 
it signs, it adds "Alice@Acme.com" as a signed attribute to identify the 
requestor.

You'd like to be able to query the Acme.com XKMS service for 
Alice@Acme.com, and retrieve the DSS service's key.  However, the XKMS 
service wouldn't want to say "this is Alice's signature key", cause that's 
untrue - you can't assume everything signed by this key is from 
Alice.  Instead, the XKMS service would need to say "this is Alice's 
*delegated* signature key", indicating that if you receive a signature 
signed by this key *and* with Alice's name as a signed attribute, only then 
you should assume the signature was produced under Alice's control.

I think this could be done by adding a new "DelegatedSignature" value to 
the <KeyUsage> element: <KeyUsage>DelegatedSignature</KeyUsage>.  We could 
at least ask them about something like this.

Trevor