ACTION-665: Devise proposal for X509SerialNumber

The changes to deprecate X509IssuerSerial and introduce a new X509Digest
element are as follows, based on the May 13 second LC draft.

In section 4.5.4, alter the first bullet under item 1, which describes
X509IssuerSerial:

"The deprecated X509IssuerSerial element..."

(I suspect that item numbering is a formatting mistake, there's no number
2.)

Add a new bullet under OCSPResponse:

"The dsig11:X509Digest element contains a base64-encoded digest of a
certificate. The digest algorithm URI is identified with an Algorithm
attribute, or defaults to SHA-1 if no Algorithm is specified. The input to
the digest MUST be the raw octets that would be base64-encoded were the same
certificate to appear in the X509Certificate element."

Add dsig11::X509Digest to the lists of elements in the two paragraphs below
the bulleted list:

"Any X509IssuerSerial, X509SKI, X509SubjectName, and X509Digest elements..."

Modify the last paragraph in the section that discusses X509IssuerSerial:

"The X509IssuerSerial element has been deprecated in favor of the
newly-introduced X509Digest element. The XML Schema type of the serial
number was defined to be an integer, and XML Schema validators may not
support integer types with decimal data exceeding 18 decimal digits
[XML-schema]. This has proven insufficient, because many Certificate
Authorities issue certificates with large, random serial numbers that exceed
this limit. As a result, deployments that do make use of this element should
take care if schema validation is involved. New deployments SHOULD avoid use
of the element."

Finally, add schema below the definition of OCSPResponse (and to the actual
schema of course):

<element name="X509Digest" type="dsig11:X509DigestType"/>
<complexType name="X509DigestType">
  <simpleContent>
     <extension base="base64Binary">
       <attribute name="Algorithm" type="anyURI"/>
     </extension>
  </simpleContent>
</complexType>

-- Scott

Received on Thursday, 16 September 2010 16:10:14 UTC