Re: [widgets-digsig] Comment on use of X.509 v3

HI Hal,


On Fri, Mar 21, 2008 at 10:13 PM, Hal Lockhart <hlockhar@bea.com> wrote:
>
>  The current draft of Widgets 1.0: Digital Signature says:
>
>  3. The digital certificate format must be [X.509v3].
>
>  This actually is not well defined, however I will assume what is meant
>  is that version field contains a value of 2 (indicating v3).
>
>  Experience with interoperability testing has shown that some popular PK
>  libraries will only mark certificates as v3 if one or more extension
>  fields are present. Otherwise the version field will be set to zero
>  (indicating version 1). The intention is to provide interoperation with
>  older implementations which only support v1.
>
>  If the intention is to require the use of extensions in certificates,
>  then restricting certificates to v3 is reasonable. However I see nothing
>  in the document that suggests this. If not, you may want to consider
>  allowing certificates to be labeled as either v1 or v3.

Our intention was not to limit the certificate versions, but only to
say that a certificate must conform with the "[X509v3]" specification,
which is:

ITU-T Recommendation X.509 version 3 (1997). "Information Technology -
Open Systems Interconnection - The Directory Authentication Framework"
 ISO/IEC 9594-8:1997.

Hopefully, the wording of the Widget DigSig spec reflects the XML
DigSig specification [1], which reads:

"The X509Certificate element, which contains a base64-encoded [X509v3]
certificate..."

The intent in our spec is that only the <X509Data> and
<X509Certificate> elements be used when signing a widget (hence
[X509v3]; other certificate types are not currently supported by
widgets).
I will change the text in the Widget Dig Sig spec to make it more
clear and possibly add a note reflecting your comments.

Please let me know if that is suitable.

Kind regards,
Marcos

[1] http://www.w3.org/TR/xmldsig-core/#sec-X509Data

-- 
Marcos Caceres
http://datadriven.com.au

Received on Tuesday, 25 March 2008 03:15:21 UTC