In this second application the XKMS service may choose to
impose some form
of validation constraint on the certs that it accepts. For
example only
accepting certs from a limited number of CAs - or it may not.
This specification does not provide this level of details.
That is intentional. The specification defines the protocol. It does not
state how to use the protocol any more than Kernighan and Richie tell users
how to program in C still less the programs they should write.
This may be what some vendors are looking for: claiming
*compatibility* with
XKMS, while in reality each vendor will be non-interoperable
with any other
vendor and will have its own concept of trust (hidden and
different from any
other vendor).
That is again intentional. XKMS is not simply an interface to a PKI, it is a
key centric PKI in its own right.
An XKMS vendor can choose to robotically reflect the status of X.509 certs
with its service, or it can choose to reflect its view of the
trustworthiness of the keys themselves.
The specification only defines the interface between the TV and the cable,
it does not require CNN and Fox News to broadcast exactly the same content
at all times.
Phill