W3C home > Mailing lists > Public > public-appformats@w3.org > March 2008

Re: [widgets-digsig] Comment on use of X.509 v3

From: Marcos Caceres <marcosscaceres@gmail.com>
Date: Tue, 25 Mar 2008 13:14:41 +1000
Message-ID: <b21a10670803242014y84e29e7w96b2306fad34b183@mail.gmail.com>
To: "Hal Lockhart" <hlockhar@bea.com>
Cc: public-appformats@w3.org, member-xmlsec-maintwg-request@w3.org

HI Hal,

On Fri, Mar 21, 2008 at 10:13 PM, Hal Lockhart <hlockhar@bea.com> wrote:
>  The current draft of Widgets 1.0: Digital Signature says:
>  3. The digital certificate format must be [X.509v3].
>  This actually is not well defined, however I will assume what is meant
>  is that version field contains a value of 2 (indicating v3).
>  Experience with interoperability testing has shown that some popular PK
>  libraries will only mark certificates as v3 if one or more extension
>  fields are present. Otherwise the version field will be set to zero
>  (indicating version 1). The intention is to provide interoperation with
>  older implementations which only support v1.
>  If the intention is to require the use of extensions in certificates,
>  then restricting certificates to v3 is reasonable. However I see nothing
>  in the document that suggests this. If not, you may want to consider
>  allowing certificates to be labeled as either v1 or v3.

Our intention was not to limit the certificate versions, but only to
say that a certificate must conform with the "[X509v3]" specification,
which is:

ITU-T Recommendation X.509 version 3 (1997). "Information Technology -
Open Systems Interconnection - The Directory Authentication Framework"
 ISO/IEC 9594-8:1997.

Hopefully, the wording of the Widget DigSig spec reflects the XML
DigSig specification [1], which reads:

"The X509Certificate element, which contains a base64-encoded [X509v3]

The intent in our spec is that only the <X509Data> and
<X509Certificate> elements be used when signing a widget (hence
[X509v3]; other certificate types are not currently supported by
I will change the text in the Widget Dig Sig spec to make it more
clear and possibly add a note reflecting your comments.

Please let me know if that is suitable.

Kind regards,

[1] http://www.w3.org/TR/xmldsig-core/#sec-X509Data

Marcos Caceres
Received on Tuesday, 25 March 2008 03:15:21 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:50:09 UTC