W3C home > Mailing lists > Public > public-xmlsec@w3.org > January 2010

Re: proposed XML Signature 1.1 addition

From: Sean Mullan <Sean.Mullan@Sun.COM>
Date: Thu, 14 Jan 2010 15:34:56 -0500
To: Frederick Hirsch <frederick.hirsch@nokia.com>
Cc: XMLSec WG Public List <public-xmlsec@w3.org>
Message-id: <4B4F7FF0.4030904@sun.com>
I question the value of this. The AKID does not help identify the 
signer's certificate, it helps identify the CA certificate that 
issued/signed it. Can you describe a use case for how this would be used?

--Sean

Frederick Hirsch wrote:
> [not as chair]
> 
> Would it be possible to add a new element to XML Signature 1.1, namely 
> X509AKI - I view this as along the same lines as the added OCSP element.
> 
> Proposal:
> 
> Add  dsig11:X509AKI  to list in #1 in section 4.5.4 The X509Data Element
> 
> The X509AKI  element which contains the base64 encoded plain (i.e. 
> non-DER-encoded) value of a X509 V.3 Authority Key Identifier extension.
> 
> with schema
> <element name="X509AKI" type="base64Binary"/>
> ---
> 
> I've gotten feedback that this would be helpful and would like propose 
> we add it before Last Call.
> 
> Thanks
> 
> regards, Frederick
> 
> Frederick Hirsch
> Nokia
> 
> 
> 
> 
Received on Thursday, 14 January 2010 20:35:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 14 January 2010 20:35:25 GMT