RE: X509IssuerSerial alternatives in WS Security specification

> Depends on how you define it, of course, but assuming you want an
> independent, reusable element you don't want to be constrained by having
to
> ship an X509Data encapsulator around if you don't need it.  But I'll wait
to
> see the specific language you propose.

So I guess people want this? Alright, I'll put together a proposal, but it's
basically just:

<X509Digest Algorithm="...">
</X509Digest>

Probably with a SHA-1 default for compactness.

But it's just a KeyInfo child, it has no specific reference to a container
element. See also dsig11:OCSPResponse; we can't control where it appears,
but in prose we present it as a child of X509Data. I was assuming the same
goes here, and that we're talking about a certificate hash, rather than a
hash over arbitrary keying material.

Regardless of where it appears, all extension points in KeyInfo and X509Data
are multiply occurring, so it doesn't make sense to build in repetition
inside the child.

-- Scott

Received on Tuesday, 14 September 2010 19:36:51 UTC