W3C home > Mailing lists > Public > public-xmlsec@w3.org > September 2010

RE: X509IssuerSerial alternatives in WS Security specification

From: Brian LaMacchia <bal@microsoft.com>
Date: Tue, 14 Sep 2010 18:35:40 +0000
To: Scott Cantor <cantor.2@osu.edu>, 'Pratik Datta' <pratik.datta@oracle.com>, "public-xmlsec@w3.org" <public-xmlsec@w3.org>
Message-ID: <96C9A84DD4EEC3408DD1E6484974A8DE1F800F49@TK5EX14MBXC122.redmond.corp.microsoft.com>
Not only should it be hash-agile, but it should probably support multiple parallel hash values.  

					--bal

-----Original Message-----
From: public-xmlsec-request@w3.org [mailto:public-xmlsec-request@w3.org] On Behalf Of Scott Cantor
Sent: Tuesday, September 14, 2010 9:49 AM
To: 'Pratik Datta'; public-xmlsec@w3.org
Subject: RE: X509IssuerSerial alternatives in WS Security specification

> If you see, some of them build on XML Sig mechanisms e.g. 
> IssuerSerial,
and
> some of them are different e.g. the SKI and direct, and some of them 
> are
new
> e.g. Thumbprint. We need to have a Thumbprint equivalent in XML Sig.

I was going to propose that we deprecate X509IssuerSerial and leave it at that, mainly because if we do a thumbprint, I think it probably needs to be hash agile. Not so much for XML Signature's use, but the other places KeyInfo gets used it isn't always a hint, but may normatively refer to a key for the purposes of trust establishment.

That seems like a bigger change than we'd want to introduce for Last Call, but if people want it, I can write it up.

I will propose deprecation text for X509IssuerSerial separately, as a replacement for the "take care" text we have there now.

-- Scott
Received on Tuesday, 14 September 2010 19:41:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 14 September 2010 19:41:26 GMT