W3C home > Mailing lists > Public > public-appformats@w3.org > March 2008

[widgets-digsig] Comment on use of X.509 v3

From: Hal Lockhart <hlockhar@bea.com>
Date: Fri, 21 Mar 2008 05:13:03 -0700
Message-ID: <2E22E42D2E71B845B67F093A02B962DB0217F85B@repbex01.amer.bea.com>
To: <public-appformats@w3.org>
Cc: <member-xmlsec-maintwg-request@w3.org>

The current draft of Widgets 1.0: Digital Signature says:

3. The digital certificate format must be [X.509v3].

This actually is not well defined, however I will assume what is meant
is that version field contains a value of 2 (indicating v3).

Experience with interoperability testing has shown that some popular PK
libraries will only mark certificates as v3 if one or more extension
fields are present. Otherwise the version field will be set to zero
(indicating version 1). The intention is to provide interoperation with
older implementations which only support v1.

If the intention is to require the use of extensions in certificates,
then restricting certificates to v3 is reasonable. However I see nothing
in the document that suggests this. If not, you may want to consider
allowing certificates to be labeled as either v1 or v3.

Hal Lockhart
Office of the CTO
BEA Systems
Received on Friday, 21 March 2008 12:13:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 21 March 2008 12:13:51 GMT