KeyInfo discussions

FYI, sharing OASIS public list discussion in OASIS SSTC regarding  
KeyInfo

http://www.oasis-open.org/apps/org/workgroup/security/email/archives/200810/msg00049.html

Please let Scott and myself know if more needs to be said or done in  
the XML Security WG on this issue.

regards, Frederick

Frederick Hirsch
Nokia



Begin forwarded message:

> From: "ext Scott Cantor" <cantor.2@osu.edu>
> Date: October 21, 2008 6:23:56 PM EDT
> To: "'OASIS SSTC'" <security-services@lists.oasis-open.org>
> Subject: RE: [security-services] Minutes minutes SSTC/SAML concall  
> Tue 21-Oct-2008
>
>> ts: it came up on last call, started from a comment Scott Cantor (sc)
> made
>> wrt previous version of profile, has to do with <ds: x509 cert>  
>> element --
>> what is format of such cert?  his comment had to do with encoding,  
>> spec
> says
>> encoding should be DER, but perhaps it should be left unspecified. I
> didn't
>> change it in this rev of the doc, because I don't see wisdom in  
>> that, not
>> sure why someone would not specifiy it, it would make it difficult  
>> for RP
> to
>> do confirmation w/o knowing what the encoding is, hoping someone can
> justify
>> this, AFAIK that is only significant issue remaining in that profile
>
> The justification for not requiring DER is that doing so would be  
> analagous
> to us requiring XML be encoded as UTF-8 instead of relying on the  
> XML to
> signal the encoding used.
>
> In the case of certificates, ASN.1 is the substrate and, I'm led to
> understand, implementations of ASN.1 libraries handle the encodings  
> that
> people use, just as XML parsers handle the encodings that people use.
>
> In other words, I'm told that it's left open in XMLSignature for a  
> reason,
> and it's not clear to me why we have any better reason to constrain  
> it than
> we would for the XML encoding.
>
> Alternatively, I guess I'd be in favor of making this a RECOMMENDED
> encoding, but doing that in SAML core itself, rather than requiring  
> every
> profile that touches this element to repeat it.
>
> -- Scott
>

Received on Wednesday, 22 October 2008 09:35:58 UTC