W3C home > Mailing lists > Public > public-xmlsec@w3.org > September 2010

RE: X509IssuerSerial alternatives in WS Security specification

From: Scott Cantor <cantor.2@osu.edu>
Date: Tue, 14 Sep 2010 15:36:15 -0400
To: "'Brian LaMacchia'" <bal@microsoft.com>, "'Pratik Datta'" <pratik.datta@oracle.com>, <public-xmlsec@w3.org>
Message-ID: <01ea01cb5444$18ae5a60$4a0b0f20$@osu.edu>
> Depends on how you define it, of course, but assuming you want an
> independent, reusable element you don't want to be constrained by having
to
> ship an X509Data encapsulator around if you don't need it.  But I'll wait
to
> see the specific language you propose.

So I guess people want this? Alright, I'll put together a proposal, but it's
basically just:

<X509Digest Algorithm="...">
</X509Digest>

Probably with a SHA-1 default for compactness.

But it's just a KeyInfo child, it has no specific reference to a container
element. See also dsig11:OCSPResponse; we can't control where it appears,
but in prose we present it as a child of X509Data. I was assuming the same
goes here, and that we're talking about a certificate hash, rather than a
hash over arbitrary keying material.

Regardless of where it appears, all extension points in KeyInfo and X509Data
are multiply occurring, so it doesn't make sense to build in repetition
inside the child.

-- Scott
Received on Tuesday, 14 September 2010 19:36:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 14 September 2010 19:36:51 GMT