Re: [wss-comment] X509 1.0 Errata Comment

[Michael McIntosh <mikemci@us.ibm.com>]

Manveen Kaur <Manveen.Kaur@Sun.COM> wrote on
02/09/2005 05:16:27 PM:

> 
> In Line 111 in the X509 token profile 1.0 errata [1] , the ValueType
URI 
> is changed from #X509SubjectKeyIdentifier to  #X509v3SubjectKeyIdentifier.
> 
> Is the change necessary?
> 
> This is all the more confusing since in line 83 the "v3"
has been 
> dropped from the profile URI.
> 

The follwing email explains the rationale behind these
changes.

Ron Monzillo <Ronald.Monzillo@Sun.COM> wrote on 06/24/2004 03:14:07
PM:

> Excerpt from minutes - "Minutes for WSS TC June 01, 2004"
> 
> >293 - X509 V1 certificates are obsolete, Irving Reid thinks there
is no
> >particular reason to exclude them.  TC polled for objections
to add them.
> >Ronald Monzillo will write up a proposal on this topic for TC
review and
> >action.  Issue Pending
> 
> The general idea, is to remove the apparent prohibition on the encapsulation
> of X509v1 certificates as Binary Security Tokens. 
> 
> The x509 Certificate Token Profile includes 5 version specific X509
references
> 
> Line 113: table of contents entry for section 3.1.1
> 
> table below line 172: defines ValueType URI (i.e. for BinarySecurityToken
>    
> line 174: section 3.1.1 as referred to form table of contents. 
> Section contains
> a comment about the association between the certificate and the type
> of end-entity
> that is authenticated by it as being defined by policy that is not
defined
> by this specification.
> 
> Line 308: shows use of X509v3 valuetype in BinarySecurityToken
> 
> Line 378: recommends that encryption keys be specified by an Issuer
> Serial number
> reference to an X509v3 certificate. 
> 
> proposed changes:
> 
> Line 113: table of contents entry for section 3.1.1
> 
>    regenerate table after making other changes
> 
> table below line 172: defines ValueType URI (i.e. for BinarySecurityToken
>    
>    remove version specification from ValueType (i.e change
ValueType to x509)
>  
> line 174: section 3.1.1 as referred to from table of contents. 
> Section contains
> a comment about the association between the certificate and the type
> of end-entity
> that is authenticated by it as being defined by policy that is not
defined
> by this specification.
> 
>    .s/3.1.1 X509v3 Token Type/3.1.1 X509 Token Type/
> 
>    add 
> 
>    The encapsulated certificate is an X509 certificate.
>    The x509 certificate version is defined within the certificate.
> 
> Line 308: shows use of X509v3 valuetype in BinarySecurityToken
> 
>    .s/wsse:X509v3/wsse:X509/
> 
> Line 378: recommends that encryption keys be specified by an Issuer
> Serial number
> reference to an X509v3 certificate.
> 
>    .s/wsse:x509v3/X509/
> 
> The profile refers to subject key identifiers (an extension not 
> available in X509v1)
> in 8 places
> 
> line 117: table of contents entry for section 3.2.1
> line 193-5: describes use of an STR containing a subject key iddentifier
> line 204-5: section 3.2.1 as referred to from table of contents
> line 206: description of use (body of section 3.2.1)
> table below line 209: defines URI for X509SubjectKeyIdentifier valuetype
> line 213-5: description of use (also body of section 3.2.1)
> line 252: used in description of example (that follows)
> line 276: shows use of X509SubjectKeyIdentifier valuetype in STR
> 
> The subjectKeyIdentifier extension is not supported by V1 certificates,
> so the profile would be changed to reflect the use of SKI KeyIdentfiers
> (only) with X509v2 certs; as follows:
> 
> line 117: table of contents entry for section 3.2.1
> 
>    regenerate table after making other changes
> 
> line 193-5: describes use of an STR containing a subject key iddentifier
>    193s/Reference to a Subject Key Identifier/Reference
to an X509 
> v3 Subject Key Identifier/
>    add following line 195
> 
>    "A subject key identifier may only be used to reference
an X509v3
> certificate."
> 
> line 204-5: section 3.2.1 as referred to from table of contents
>    change section title to
> 
>    "Reference to an X509v3 Subject Key Identifier"
>    205s/X509/X509v3/
> line 206: description of use (body of section 3.2.1)
>    no change
> 
> table below line 209: defines URI for X509SubjectKeyIdentifier valuetype
>    in table s/X509SubjectKeyIdentifier/X509v3SubjectKeyIdentifier/
> 
> line 213-15: description of use (also body of section 3.2.1)
>    213s/X509SubjectKeyIdentifier/X509v3SubjectKeyIdentifier/
> line 252: used in description of example (that follows)
>      no change
> line 276: shows use of X509SubjectKeyIdentifier valuetype in STR
>    .s/#X509SubjectKeyIdentifier/#X509v3SubjectKeyIdentifier/