W3C home > Mailing lists > Public > public-xmlsec@w3.org > September 2010

X509IssuerSerial alternatives in WS Security specification

From: Pratik Datta <pratik.datta@oracle.com>
Date: Tue, 14 Sep 2010 09:16:52 -0700 (PDT)
Message-ID: <e2a0d82d-a9eb-4af0-ab1d-671de33617bf@default>
To: Scott Cantor <cantor.2@osu.edu>, public-xmlsec@w3.org
The Web Services Security X.509 Certificate Token Profile 1.1 document 

http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-errata-os-x509TokenProfile.pdf

talks about different ways of referring to a certificate

1) Using SKI 
     <ds:KeyInfo>
        <wsse:SecurityTokenReference>
           <wsse:KeyIdentifier EncodingType="...#Base64Binary" ValueType="...#X509SubjectKeyIdentifier">
               MIGfMa0GCSq.
          </wsse:KeyIdentifier>
        </wsse:SecurityTokenReference>
     </ds:KeyInfo>


2) Using Direct reference
     <ds:KeyInfo>
        <wsse:SecurityTokenReference>
           <wsse:Reference URI="#binaryToken"/>
        </wsse:SecurityTokenReference>
     </ds:KeyInfo>


3) Using IssuerSerial
     <ds:KeyInfo>
        <wsse:SecurityTokenReference>
          <ds:X509Data>
            <ds:X509IssuerSerial>
              <ds:X509IssuerName>
                 DC=ACMECorp, DC=com
              </ds:X509IssuerName>
              <ds:X509SerialNumber>12345678</ds:X509SerialNumber>
            </ds:X509IssuerSerial>
          </ds:X509Data>
        </wsse:SecurityTokenReference>
     </ds:KeyInfo>


4) Using Thumbprint
     <ds:KeyInfo>
        <wsse:SecurityTokenReference>
           <wsse:KeyIdentifier ValueType="...#ThumbprintSHA1" >
             LKiQ/CmFrJDJqCLFcjlhIsmZ/+0= 
           </wsse:KeyIdentifier> 
        </wsse:SecurityTokenReference>
     </ds:KeyInfo>




If you see, some of them build on XML Sig mechanisms e.g. IssuerSerial, and some of them are different e.g. the SKI and direct, and some of them are new e.g. Thumbprint. We need to have a Thumbprint equivalent in XML Sig.

Pratik


-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu] 
Sent: Tuesday, September 14, 2010 8:27 AM
To: Pratik Datta
Subject: KeyIdentifier

Pratik,

I think the thumbprint option in WSS is the KeyIdentifier element? It looks
like there's language there pretty tightly constraining it to appear inside
an STR, so I suspect it's not the best idea to expect people to adopt it
generically.

-- Scott
Received on Tuesday, 14 September 2010 16:18:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 14 September 2010 16:18:03 GMT