W3C home > Mailing lists > Public > www-xkms@w3.org > November 2002

XKMS OCSP issue

From: <Frederick.Hirsch@nokia.com>
Date: Mon, 11 Nov 2002 09:25:45 -0500
Message-ID: <E320A8529CF07E4C967ECC2F380B0CF901067F32@bsebe001.americas.nokia.com>
To: <www-xkms@w3.org>
XKMS Requirement 2.5.4 states (Editors draft http://www.w3.org/2001/XKMS/Drafts/xkms-req.html) :

"The following KeyInfo formats MUST be supported: KeyName, KeyValue, RetrievalMethod and MgmtData.
The X509Certificate KeyInfo format MUST be supported by a trust server if the service claims interoperability with PKIX X.509. Additional KeyInfo formats such as X509Chain, OCSP, and X509CRL MAY be supported. X509Chain and OCSP MUST be defined in the XKMS specifications. X509CRL is defined in the XML Signature recommendation.
The XKMS registration Private format MUST be supported if the service supports either service generated key pairs or key recovery.[List(Sebastien Pouliot)]"
---
The XKMS spec (  http://www.w3.org/2001/XKMS/Drafts/XKMS20021017/xkms-part-1.html) defines a RespondWith value for OCSP as (section 2.8.6), line 75):

identifier:  xkms:OCSP
ds:KeyInfo Element:  <ds:X509Data>
Description:  PKIX OCSP token that validates an X509v3 certificate that authenticates the key

The X509Data element is defined in the XML Digital Signature Rec ( http://www.w3.org/TR/xmldsig-core/#sec-X509Data ) and specifies different
meanings for the element, such as X509IssuerSerial, X509SubjectName, X509SKI, X509Certificate, and X509CRL. OCSP is not defined. 
 
Thus to meet the requirement and to address the issue list item #86 in Other Issues I propose that the following definition be added to the XKMS
specification part 1:
 
   <element name="X509OCSP" type="base64Binary"/> in the XKMS namespace
 
This can be a child of the ds:X509Data type. which is already extensible. The value returned in response to the OCSP respondWith should be
a <ds:X509Data><xkms:X509OCSP>...<</xkms:X509OCSP></ds:X509Data> element.
 
Defining this sub-element makes the data self-describing and consistent with the other definitions in XML Digital Signature.
 
We agreed in the conference call that the meaning of the content of this element does not need further definition.
 
I believe this would close the issue - does this make sense?
 
For clarification, if RespondWith xkms:X509CRL is used, the response is <ds:X509Data> <ds:X509CRL>...
Should this be stated in the spec line 75?


br, Frederick

---------------------------------------
Frederick Hirsch
Technology Architect
Nokia Mobile Phones
5 Wayside Rd., Burlington, MA 01803 USA
frederick.hirsch@nokia.com
+1 781-993-3735
Received on Monday, 11 November 2002 09:26:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:39:18 GMT