W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: ACTION-306: Trust anchors

From: Frederick Hirsch <Frederick.Hirsch@nokia.com>
Date: Wed, 25 Feb 2009 18:10:51 -0500
Cc: Frederick Hirsch <Frederick.Hirsch@nokia.com>, "public-webapps@w3.org WG" <public-webapps@w3.org>
Message-Id: <043A1725-4DE8-46A8-972E-2DFD5B30A761@nokia.com>
To: ext Thomas Roessler <tlr@w3.org>
ok thanks, good to be clear. I'll go ahead and make the change.

regards, Frederick

Frederick Hirsch
Nokia



On Feb 25, 2009, at 5:59 PM, ext Thomas Roessler wrote:

> I was not suggesting that we should mandate X509Data (or anything like
> it).
>
> The point I was getting at was, that along with our using of X509
> certificates, people really ought to use basic path validation as
> specified in 5280 -- no matter where the certificate comes from.  I
> think your change is fine.
> --
> Thomas Roessler, W3C  <tlr@w3.org>
>
>
>
>
>
>
>
> On 25 Feb 2009, at 23:55, Frederick Hirsch wrote:
>
>> Thanks for the proposal Thomas.
>>
>> This proposal requiring Basic Path Validation seems to conflict with
>> X509Data being optional, the current language that I think we
>> discussed during the meeting:
>>
>> Generation:
>> 5c) The ds:KeyInfo element MAY be included and MAY include
>> certificate, CRL and/or OCSP information. If so, it MUST be
>> compliant with the[XMLDSIG11] specification. If certificates are
>> used they MUST conform to the mandatory certificate format.
>>
>> Validation:
>> If a ds:KeyInfo element is present then it MUST conform to the
>> [XMLDSIG11]specification. If present then any certificate chain
>> SHOULD be validated and any CRL or OCSP information may be used as
>> appropriate [RFC5280]..
>>
>> I suggest we could also adopt your text by changing the final
>> sentence above  to
>>
>> If present then user agents MUST perform Basic Path
>> Validation [RFC 5280] on the signing key and SHOULD perform
>> revocation checking as appropriate.  The set of acceptable
>> trust anchors, and policy decisions based on the signer's identity
>> are established through a security-critical out-of-band mechanism.
>>
>> Question:
>> Should re require use of X509Data to convey certificates?
>>
>> I was suggesting not, since this could be conveyed out of band and
>> it might not always be appropriate to include in every signature.
>>
>> Thoughts on this one?
>>
>> regards, Frederick
>>
>> Frederick Hirsch
>> Nokia
>>
>>
>>
>> On Feb 25, 2009, at 9:23 AM, ext Thomas Roessler wrote:
>>
>>> I propose that we add te following text in the beginning of 6.2:
>>>
>>>> The validation procedure given in this section describes extensions
>>>> to XML Signature Core Validation.  In addition to the steps defined
>>>> in these two specifications, user agents MUST perform Basic Path
>>>> Validation [RFC 5280] on the signing key.  The set of acceptable
>>>> trust anchors, and policy decisions based on the signer's identity
>>>> are established through a security-cirtical out-of-band mechanism.
>>>
>>> (If somebody can think of something nicer to say, that's fine as
>>> well.  Note that the Basic Path Validation requirement isn't really
>>> new -- it's implicit to our use of X.509, if done properly.
>>> Nevertheless, worth calling out properly.)
>>>
>>> --
>>> Thomas Roessler, W3C  <tlr@w3.org>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>
Received on Wednesday, 25 February 2009 23:11:38 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:30 GMT