[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services-comment] Additional certficate information
Tom Scavo wrote: > Peter, when you refer to a draft, please specify the draft number (or > the document id) and the document type (PDF or whatever). There are > many drafts of the HoK Web Browser SSO Profile. > ooups, sstc-saml-holder-of-key-browser-sso-draft-09.pdf sstc-saml2-holder-of-key-draft-06.pdf > Thanks in advance for your comments, > Tom > > On Fri, Nov 21, 2008 at 8:58 AM, Peter Sylvester > <Peter.Sylvester@edelweb.fr> wrote: > >> As a follow up to my comments during the last days and this morning. >> >> 1: >> Line 424 of the browser-sso-draft says: >> >> 'Other certificate information MAY be included in additional child elements >> of the <ds:X509Data> >> >> The restrictions of holder-of-key concerning the choice that can be selected >> in >> the X509DataType doesn't seem to prohibit to add arbitrary elements of the >> <any> choice. >> >> If my reading is correct, one can include for example the XER encoding of a >> certificate at that place simplifying the parsing of the certificate. >> Or a sequence of saml attributs >> >> 2; >> Line 447ff permit to use other information from the certificate for whatever >> other purpose. >> This can obviously by decoding the certificate, but IMO it is not prohibited >> to >> have additional elements in the X509Data prepared by the ID provider. >> >> 3: >> What is the reason for disallowing X509CRL ? (Not that I want them). >> >> >> TIA for any additional response. >> Peter >> >> >> >> >> >> > > -- <http://www.edelweb.fr> *Edel/W/eb* Peter SYLVESTER Consultant Sécurité des Systèmes d'Information ----------------------------------------------------------- EdelWeb - Groupe ON-X 15, quai de Dion-Bouton F-92816 Puteaux Cedex Tel : +33.1.40.99.14.14 / Fax : +33.1.40.99.99.58 www.edelweb.fr <http://www.edelweb.fr> / www.on-x.com <http://www.on-x.com> ----------------------------------------------------------- To verify the message signature, see edelpki.edelweb.fr <http://edelpki.edelweb.fr/> Cela vous permet de charger le certificat de l'autorité de racine <http://edelpki.edelweb.fr/cacerts/EdelPKI-ca.der>; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
S/MIME Cryptographic Signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]