[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] FW: XML Key Management Specification Last Call - needreview/feedback
At 02:06 AM 4/22/2003 -0700, Hallam-Baker, Phillip wrote: >We could put a line in the spec that says the default for a web service is >the schema uri (or something similar) Actually, I wasn't thinking of the public key the DSS service is authenticated with, but the public key that can verify the DSS service's signatures. A DSS service produces signatures (such as XML-DSIG and CMS signatures) for its clients - if it authenticates the client, it may attach the client's name as a signed attribute to the signature - this way a client can produce signatures that are associated with himself, without needing his own key pair. So it would be nice if a relying party can query an XKMS service on the DSS client's name, and receive back the DSS service's key, but the XKMS client would need to be told that this key is not in the sole possession of the DSS client, but must be associated with the DSS client through a signed attribute. So for a given protocol that uses signatures, I was thinking an XKMS client could query for <KeyUsage>DelegatedSignature</KeyUsage> as well as <KeyUsage>Signature</KeyUsage>. But the same thing could also be done by defining an extra application URI for the <UseKeyWith> element, for every protocol that uses signatures, to denote the delegated signature version. This seems sort of less right, and it requires the definition of an extra URI for each protocol that uses signatures, but since it doesn't require changing XKMS, it's probably the way to go. Trevor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]