- From: Pratik Datta <pratik.datta@oracle.com>
- Date: Tue, 14 Sep 2010 09:16:52 -0700 (PDT)
- To: Scott Cantor <cantor.2@osu.edu>, public-xmlsec@w3.org
The Web Services Security X.509 Certificate Token Profile 1.1 document
http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-errata-os-x509TokenProfile.pdf
talks about different ways of referring to a certificate
1) Using SKI
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier EncodingType="...#Base64Binary" ValueType="...#X509SubjectKeyIdentifier">
MIGfMa0GCSq.
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
2) Using Direct reference
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#binaryToken"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
3) Using IssuerSerial
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>
DC=ACMECorp, DC=com
</ds:X509IssuerName>
<ds:X509SerialNumber>12345678</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
4) Using Thumbprint
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier ValueType="...#ThumbprintSHA1" >
LKiQ/CmFrJDJqCLFcjlhIsmZ/+0=
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
If you see, some of them build on XML Sig mechanisms e.g. IssuerSerial, and some of them are different e.g. the SKI and direct, and some of them are new e.g. Thumbprint. We need to have a Thumbprint equivalent in XML Sig.
Pratik
-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu]
Sent: Tuesday, September 14, 2010 8:27 AM
To: Pratik Datta
Subject: KeyIdentifier
Pratik,
I think the thumbprint option in WSS is the KeyIdentifier element? It looks
like there's language there pretty tightly constraining it to appear inside
an STR, so I suspect it's not the best idea to expect people to adopt it
generically.
-- Scott
Received on Tuesday, 14 September 2010 16:18:03 UTC