- From: Scott Cantor <cantor.2@osu.edu>
- Date: Tue, 21 Sep 2010 11:48:17 -0400
- To: <public-xmlsec@w3.org>
Incorporating the decisions on Algorithm handling, a couple of nits, and the concern about reuse: In section 4.5, add a URL to the list of new 1.1 RetrievalMethod URLs: "http://www.w3.org/2009/xmldsig11#X509Digest" In section 4.5.4, alter the first bullet under item 1, which describes X509IssuerSerial: "The deprecated X509IssuerSerial element..." (I suspect that item numbering is a formatting mistake, there's no number 2.) Move the bullet on "extensions in other namespaces" to the end of the list (after this new element). Add a new bullet under OCSPResponse: "The dsig11:X509Digest element contains a base64-encoded digest of a certificate. The digest algorithm URI is identified with a required Algorithm attribute. The input to the digest MUST be the raw octets that would be base64-encoded were the same certificate to appear in the X509Certificate element." Add dsig11::X509Digest to the lists of elements in both paragraphs below the bulleted list: "Any X509IssuerSerial, X509SKI, X509SubjectName, and dsig11:X509Digest elements..." Add a new paragraph following those two paragraphs: "Note that if X509Data elements are used to identify a trusted certificate (rather than solely as an untrusted hint supplemented by validation by policy), the complete set of such elements that are intended to identify a certificate SHOULD be integrity protected, typically by signing an entire X509Data or KeyInfo element." Modify the last paragraph in the section that discusses X509IssuerSerial: "The X509IssuerSerial element has been deprecated in favor of the newly-introduced X509Digest element. The XML Schema type of the serial number was defined to be an integer, and XML Schema validators may not support integer types with decimal data exceeding 18 decimal digits [XML-schema]. This has proven insufficient, because many Certificate Authorities issue certificates with large, random serial numbers that exceed this limit. As a result, deployments that do make use of this element should take care if schema validation is involved. New deployments SHOULD avoid use of the element." Finally, add schema below the definition of OCSPResponse (and to the actual schema of course): <element name="X509Digest" type="dsig11:X509DigestType"/> <complexType name="X509DigestType"> <simpleContent> <extension base="base64Binary"> <attribute name="Algorithm" type="anyURI" use="required"/> </extension> </simpleContent> </complexType> -- Scott
Received on Tuesday, 21 September 2010 15:48:49 UTC