W3C home > Mailing lists > Public > public-xmlsec@w3.org > February 2009

Re: Review of latest Widget Signature Draft

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 25 Feb 2009 14:09:50 +0100
To: Frederick Hirsch <frederick.hirsch@nokia.com>
Message-Id: <A4129906-0656-495A-938C-FA94EABD5DC4@w3.org>
Cc: "public-webapps@w3.org WG" <public-webapps@w3.org>, XMLSec WG Public List <public-xmlsec@w3.org>
On 25 Feb 2009, at 13:50, Frederick Hirsch wrote:

>> - 5.2 and 5.3 have an issue about additional algorithms.  I suggest
>> just being silent about them.

> ok to remove the issues?

To the extent to which these are about unspecified additional  
algorithms, that's what I'm proposing.  The second hash algorithm  
question is separate, I think.

>> - In 4.4, we currently perform a dance around X.509 version numbers.
>> Thinking this through more thoroughly, it worries me that this came
>> up, for the following reason:  You need an X.509 v3 extension to
>> express the basic constraints on a certificate.  Without the basic
>> constraints extension, it is impossible to distinguish a CA
>> certificate from an end entity certificate.  Which in turn suggests
>> that somebody might have inadvertently generated a CA certificate
>> instead of an end entity certificate...  In other words, we shouldn't
>> ever see an end entity certificate that is X.509 v1 or v2.  (And if  
>> we
>> see one, it's a good idea to break it.)

> so you suggest simplifying this to v3?

I suggest mandating v3 certificates, yes.
Received on Wednesday, 25 February 2009 13:10:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:57 GMT