[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] specifying the <ds:X509SKI> element
Hi Ari, On Tue, Oct 7, 2008 at 4:40 PM, ARI KERMAIER <ARI.KERMAIER@oracle.com> wrote: > > What's meant by "the DER-encoded Subject Key Identifier (SKI) extension"? Oops, I copied existing text from the profile document but didn't sufficiently edit. > Is it the entire DER-encoded Extension object, which is a sequence of OID, critical flag and value? > Or is it the value field, which is an ASN.1 OCTET STRING, including its ASN.1 DER-encoded tags? > Or is it the bytes of the SKI value, i.e., the content of the OCTET STRING without its tags? > > I would favor the last of these options, so we don't assume ASN.1 parsing capability on the part of an XML protocol implementation. Yes, I think you're right. In fact, [XMLSig] says "The X509SKI element, which contains the base64 encoded plain (i.e. non-DER-encoded) value of a X509 V.3 SubjectKeyIdentifier extension." which I believe agrees with your preference. This leads to the following rewrite of the normative text to be included in the HoK Assertion Profile: "The <ds:X509Data> element MAY contain a <ds:X509SKI> element. If it does, the <ds:X509SKI> element MUST contain the base64 encoding of the plain (i.e., not DER-encoded) value of the Subject Key Identifier (SKI) extension of an X.509 certificate (as specified in [XMLSig]). If the certificate does not contain an SKI extension, the <ds:X509Data> element MUST NOT contain a <ds:X509SKI> element." If you prefer some different wording, let me know. Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]