RE: [dss] FW: XML Key Management Specification Last Call - needreview/feedback

[Trevor Perrin <trevp@trevp.net>]

At 02:06 AM 4/22/2003 -0700, Hallam-Baker, Phillip wrote:

>We could put a line in the spec that says the default for a web service is
>the schema uri (or something similar)

Actually, I wasn't thinking of the public key the DSS service is 
authenticated with, but the public key that can verify the DSS service's 
signatures.

A DSS service produces signatures (such as XML-DSIG and CMS signatures) for 
its clients - if it authenticates the client, it may attach the client's 
name as a signed attribute to the signature - this way a client can produce 
signatures that are associated with himself, without needing his own key pair.

So it would be nice if a relying party can query an XKMS service on the DSS 
client's name, and receive back the DSS service's key, but the XKMS client 
would need to be told that this key is not in the sole possession of the 
DSS client, but must be associated with the DSS client through a signed 
attribute.

So for a given protocol that uses signatures, I was thinking an XKMS client 
could query for <KeyUsage>DelegatedSignature</KeyUsage> as well as 
<KeyUsage>Signature</KeyUsage>.  But the same thing could also be done by 
defining an extra application URI for the <UseKeyWith> element, for every 
protocol that uses signatures, to denote the delegated signature 
version.  This seems sort of less right, and it requires the definition of 
an extra URI for each protocol that uses signatures, but since it doesn't 
require changing XKMS, it's probably the way to go.

Trevor