OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

dss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [dss] FW: DSS TC XKMS Last Call Comments

Title: DSS TC XKMS Last Call Comments
I propose the following response to the message XKMS:
Apologies for the delay in responding to your message.
We agree with your suggestion and believe that <UseKeyWith> meets our requirements.
Nick Pope
-----Original Message-----
From: Blair Dillaway [mailto:blaird@exchange.microsoft.com]
Sent: 02 August 2003 01:16
To: Robert Zuccherato
Cc: www-xkms@w3.org; cruellas@ac.upc.es
Subject: DSS TC XKMS Last Call Comments


The DSS TC raised the issue of how one should indicate to an XKMS client that key information returned by an XKMS service was associated with a DSS service.  This would indicate that the keys are in possession of the DSS service and associated with the DSS client through a signed attribute.  It was suggested that a new <KeyUsage> element value or a <UseKeyWith> URI might be appropriate.

We do not believe a new <KeyUsage> element value is the correct mechanism for addressing this issue.  KeyUsage is intended to identify the cryptographic operation that a key may be used for.  It is not intended to indicate other factors such as how a key is stored or who has control over the key's use.  Within the DSS context, the appropriate KeyUsage would be "Signature".

We recommend definition of a new <UseKeyWith> URI as the appropriate mechanism for meeting your requirements.  The XKMS specification (23 July 2003 Editor's Draft), defines UseKeyWith as:

"[184] The primary use intended for <UseKeyWith> identifiers is to identify application protocols. <UseKeyWith> URI identifiers MAY be specified that represent key binding issuance and/or use policies instead of or in addition to an application protocol. In this case the <UseKeyWith> element specifies that the key binding complies with the specified policy."

As we understand the objectives of the DSS TC, you are defining a use policy for a signing key.  That use policy is along the lines of:  signature generation is performed by an authorized DSS server and is bound to a given client via a signed attribute.  Once the DSS TC has formalized this policy statement, a URI may be associated with it.  The DSS TC should define this URI and incorporate it into the DSS specification.  The DSS effort is not at the appropriate standards status level for a normative reference from within the XKMS specification.

The XKMS WG would like to thank you for reviewing and commenting on the draft XKMS specification.  We believe this addresses your comments to the best of our ability and assume the issue is closed unless we hear otherwise.

Blair Dillaway on behalf of the XKMS WG

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]