W3C home > Mailing lists > Public > public-xmlsec@w3.org > September 2010

RE: X509IssuerSerial alternatives in WS Security specification

From: Pratik Datta <pratik.datta@oracle.com>
Date: Tue, 14 Sep 2010 12:42:37 -0700 (PDT)
Message-ID: <9f0b3622-c0dc-414c-8a4f-5ba7fe055a85@default>
To: public-xmlsec@w3.org
Brian, Scott
Can you explain what you mean by 'hash-agile' and 'parallel-hash'  ?


-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu] 
Sent: Tuesday, September 14, 2010 12:36 PM
To: Brian LaMacchia; Pratik Datta; public-xmlsec@w3.org
Subject: RE: X509IssuerSerial alternatives in WS Security specification

> Depends on how you define it, of course, but assuming you want an
> independent, reusable element you don't want to be constrained by having
> ship an X509Data encapsulator around if you don't need it.  But I'll wait
> see the specific language you propose.

So I guess people want this? Alright, I'll put together a proposal, but it's
basically just:

<X509Digest Algorithm="...">

Probably with a SHA-1 default for compactness.

But it's just a KeyInfo child, it has no specific reference to a container
element. See also dsig11:OCSPResponse; we can't control where it appears,
but in prose we present it as a child of X509Data. I was assuming the same
goes here, and that we're talking about a certificate hash, rather than a
hash over arbitrary keying material.

Regardless of where it appears, all extension points in KeyInfo and X509Data
are multiply occurring, so it doesn't make sense to build in repetition
inside the child.

-- Scott
Received on Tuesday, 14 September 2010 19:44:26 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:55:14 UTC