Re: NotBoundAuthentication from Tommy Lindberg on 2004-12-06 (www-xkms@w3.org from December 2004)

From: Tommy Lindberg <tommy.lindberg@gmail.com>
Date: Mon, 6 Dec 2004 14:22:00 +0000
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Guillermo ? Rey <alvarorg@cs.tcd.ie>, XKMS WG <www-xkms@w3.org>
Message-ID: <18ec59cc04120606226aada42f@mail.gmail.com>

> Not sure if the KeyName would be best there,

I second that. It seems to me that the KeyInfo in the
PrototypeKeyBinding is intended to communicate information to be bound
to the key pair being registered.

> So, I'd say we're ok not to change the schema for this one -
> there's enough flexibility for what is probably a corner case.

I am of the same opinion.

> Tommy's b64 idea
I can't take credit for the b64 part - this is a schema requirement
:).  My example is deliberatly simplified to illustrate a point - I
imagine you can throw anything in there; some DER, a bit of XML etc.

I think the prose could be clearer:
- while the schema allows for NotBoundAuthentication  be used in any
XKRSS message section 7.1.3 paragraph says that NotBoundAuthentication
is for registration only.

- section 7.1.5  paragraph [296] makes liberal use of the phrase
"limited use shared secret" ; I don't like the innuendo of that and
suggest that replacing this with simply "authentication data" would be
more appropriate.  Sure, using a limited use shared secret even as per
section 8.1 may well be part of the Protocol, but this is specified by
the Protocol and therefore out of scope in this spec.

Regards
Tommy

On Mon, 06 Dec 2004 13:49:27 +0000, Stephen Farrell
<stephen.farrell@cs.tcd.ie> wrote:
> 
> Tommy, Guillermo,
> 
> Not sure if the KeyName would be best there, since I'd rather
> keep the key and auth-id names separate, but in any case,
> there's Tommy's b64 idea or how about "secret+sfarrell@cs.tcd.ie"
> (like people use to filter emails). I could also imagine using
> (whatever's the official term for) a CGI parameter in the URI
> itself ("http://www.cs.tcd.ie/secrets?u=sfarrell").
> 
> So, I'd say we're ok not to change the schema for this one -
> there's enough flexibility for what is probably a corner case.
> 
> Stephen.
> 
> 
> 
> Guillermo Álvaro Rey wrote:
> 
> > El lun, 06-12-2004 a las 00:14, Tommy Lindberg escribió:
> >
> >>/How is the shared secret "holder" in an NotBoundAuthentication intended to be
> >>identified?/
> >>
> >
> > Hi Tommy,
> >
> > I would say that the key name could be specified in the KeyInfo element
> > in the PrototypeKeyBinding, avoiding the need for a change in the schema
> > regarding NotBoundAuthentication.
> >
> > Regards,
> > - -Guillermo
> >
> >>/Apart from altering the schema (adding a "Name" attribute) the only
> >>reasonable option seems to be, to combine these two pieces of
> >>information and include their base64 encoding in the Value attribute.
> >>
> >>For example, a protocol defined out of scope to XKMS and identified by the URI
> >>urn:example-protocol:username-password specifies that the Value
> >>attribute carries
> >>a username/password pair separated by a ':'  would take the form of
> >>the following
> >>instance fragment
> >>
> >><NotBoundAuthentication
> >>    Protocol="urn:example-protocol:username-password"
> >>    Value="YWxpY2U6c2VjcmV0"/>
> >>
> >>Regards
> >>Tommy/
> >>
>

Received on Monday, 6 December 2004 14:26:45 UTC