wss-comment message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [wss-comment] X509 1.0 Errata Comment
- From: Michael McIntosh <mikemci@us.ibm.com>
- To: Manveen Kaur <Manveen.Kaur@Sun.COM>
- Date: Wed, 9 Feb 2005 21:49:48 -0500
Manveen Kaur <Manveen.Kaur@Sun.COM> wrote on
02/09/2005 05:16:27 PM:
>
> In Line 111 in the X509 token profile 1.0 errata [1] , the ValueType
URI
> is changed from #X509SubjectKeyIdentifier to #X509v3SubjectKeyIdentifier.
>
> Is the change necessary?
>
> This is all the more confusing since in line 83 the "v3"
has been
> dropped from the profile URI.
>
The follwing email explains the rationale behind these
changes.
Ron Monzillo <Ronald.Monzillo@Sun.COM> wrote on 06/24/2004 03:14:07
PM:
> Excerpt from minutes - "Minutes for WSS TC June 01, 2004"
>
> >293 - X509 V1 certificates are obsolete, Irving Reid thinks there
is no
> >particular reason to exclude them. TC polled for objections
to add them.
> >Ronald Monzillo will write up a proposal on this topic for TC
review and
> >action. Issue Pending
>
> The general idea, is to remove the apparent prohibition on the encapsulation
> of X509v1 certificates as Binary Security Tokens.
>
> The x509 Certificate Token Profile includes 5 version specific X509
references
>
> Line 113: table of contents entry for section 3.1.1
>
> table below line 172: defines ValueType URI (i.e. for BinarySecurityToken
>
> line 174: section 3.1.1 as referred to form table of contents.
> Section contains
> a comment about the association between the certificate and the type
> of end-entity
> that is authenticated by it as being defined by policy that is not
defined
> by this specification.
>
> Line 308: shows use of X509v3 valuetype in BinarySecurityToken
>
> Line 378: recommends that encryption keys be specified by an Issuer
> Serial number
> reference to an X509v3 certificate.
>
> proposed changes:
>
> Line 113: table of contents entry for section 3.1.1
>
> regenerate table after making other changes
>
> table below line 172: defines ValueType URI (i.e. for BinarySecurityToken
>
> remove version specification from ValueType (i.e change
ValueType to x509)
>
> line 174: section 3.1.1 as referred to from table of contents.
> Section contains
> a comment about the association between the certificate and the type
> of end-entity
> that is authenticated by it as being defined by policy that is not
defined
> by this specification.
>
> .s/3.1.1 X509v3 Token Type/3.1.1 X509 Token Type/
>
> add
>
> The encapsulated certificate is an X509 certificate.
> The x509 certificate version is defined within the certificate.
>
> Line 308: shows use of X509v3 valuetype in BinarySecurityToken
>
> .s/wsse:X509v3/wsse:X509/
>
> Line 378: recommends that encryption keys be specified by an Issuer
> Serial number
> reference to an X509v3 certificate.
>
> .s/wsse:x509v3/X509/
>
> The profile refers to subject key identifiers (an extension not
> available in X509v1)
> in 8 places
>
> line 117: table of contents entry for section 3.2.1
> line 193-5: describes use of an STR containing a subject key iddentifier
> line 204-5: section 3.2.1 as referred to from table of contents
> line 206: description of use (body of section 3.2.1)
> table below line 209: defines URI for X509SubjectKeyIdentifier valuetype
> line 213-5: description of use (also body of section 3.2.1)
> line 252: used in description of example (that follows)
> line 276: shows use of X509SubjectKeyIdentifier valuetype in STR
>
> The subjectKeyIdentifier extension is not supported by V1 certificates,
> so the profile would be changed to reflect the use of SKI KeyIdentfiers
> (only) with X509v2 certs; as follows:
>
> line 117: table of contents entry for section 3.2.1
>
> regenerate table after making other changes
>
> line 193-5: describes use of an STR containing a subject key iddentifier
> 193s/Reference to a Subject Key Identifier/Reference
to an X509
> v3 Subject Key Identifier/
> add following line 195
>
> "A subject key identifier may only be used to reference
an X509v3
> certificate."
>
> line 204-5: section 3.2.1 as referred to from table of contents
> change section title to
>
> "Reference to an X509v3 Subject Key Identifier"
> 205s/X509/X509v3/
> line 206: description of use (body of section 3.2.1)
> no change
>
> table below line 209: defines URI for X509SubjectKeyIdentifier valuetype
> in table s/X509SubjectKeyIdentifier/X509v3SubjectKeyIdentifier/
>
> line 213-15: description of use (also body of section 3.2.1)
> 213s/X509SubjectKeyIdentifier/X509v3SubjectKeyIdentifier/
> line 252: used in description of example (that follows)
> no change
> line 276: shows use of X509SubjectKeyIdentifier valuetype in STR
> .s/#X509SubjectKeyIdentifier/#X509v3SubjectKeyIdentifier/
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]