- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 25 Feb 2009 14:09:50 +0100
- To: Frederick Hirsch <frederick.hirsch@nokia.com>
- Cc: "public-webapps@w3.org WG" <public-webapps@w3.org>, XMLSec WG Public List <public-xmlsec@w3.org>
On 25 Feb 2009, at 13:50, Frederick Hirsch wrote: >> - 5.2 and 5.3 have an issue about additional algorithms. I suggest >> just being silent about them. > ok to remove the issues? To the extent to which these are about unspecified additional algorithms, that's what I'm proposing. The second hash algorithm question is separate, I think. >> - In 4.4, we currently perform a dance around X.509 version numbers. >> Thinking this through more thoroughly, it worries me that this came >> up, for the following reason: You need an X.509 v3 extension to >> express the basic constraints on a certificate. Without the basic >> constraints extension, it is impossible to distinguish a CA >> certificate from an end entity certificate. Which in turn suggests >> that somebody might have inadvertently generated a CA certificate >> instead of an end entity certificate... In other words, we shouldn't >> ever see an end entity certificate that is X.509 v1 or v2. (And if >> we >> see one, it's a good idea to break it.) > so you suggest simplifying this to v3? I suggest mandating v3 certificates, yes.
Received on Wednesday, 25 February 2009 13:11:03 UTC