- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Fri, 13 Oct 2006 15:08:40 +0100
- To: Michael Wilde <michael.wilde@yahoo.de>
- Cc: www-xkms@w3.org
Hi Michael, Michael Wilde wrote: > Hi, > > my research field is the extensibility of the XKMS 2.0 specification. > Basically I am searching for a possibility to integrate rolenames into > X509v3 certificates. Check out how roles are handled in X.509 attribute certs - the same applies to public key certs (and has nothing to do with xkms of course). You may have to go back to X.509 or maybe an ansi document to get that since the IETF profiles don't say anything much about roles. > > These rolenames are represented as ordinary Strings and should be > integrated directly into the certificates during registration of a key > pair, such that it is possible to extract them after receiving the > certificate later from an XKMS service. > > During my research I stumbled over the following website [1]. Missing reference? > One of the > topics there deals with the question: "X509 attributes, where to put > them in?". This would be exactly what I am looking for. The previously > mentioned rolenames could be integrated using attributes, but how can > this be done using an XKMS service? Is there any standardized way how to > do that yet? Yes, there're at least two options: - You could use the ds:KeyName or define a new ds:KeyInfo which might make sense if the rolename & key are tightly bound - You could use a UseKeyWith value, probably in the Identifier attribute Hope that helps, Stephen.
Received on Friday, 13 October 2006 14:08:11 UTC