[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss-comment] X509 1.0 Errata Comment
I suppose even when everyone agrees to change something just because it seems to make everything "right", the reality of the fact that it was *changed* can come back to haunt us . . . &Thomas. ________________________________ From: Ron Monzillo [mailto:Ronald.Monzillo@Sun.COM] Sent: Thu 2/10/2005 7:04 AM To: Michael McIntosh Cc: Manveen Kaur; wss-comment@lists.oasis-open.org Subject: Re: [wss-comment] X509 1.0 Errata Comment Michael, I did recommend that we change the URI for SKI to include "v3". I also think the TC adopted and the errata implemented my recommendation (which occurred in the larger context of including support for v1 x509 certs). In retrospect, I cannot recover any significant reason for changing the SKI URI. It may be that implementations have already changed to use and expect the modified URI. If not, I think we should consider the feasibility of removing this change from the errata. Ron Michael McIntosh wrote: > > Manveen Kaur <Manveen.Kaur@Sun.COM> wrote on 02/09/2005 05:16:27 PM: > > > > > In Line 111 in the X509 token profile 1.0 errata [1] , the ValueType > URI > > is changed from #X509SubjectKeyIdentifier to > #X509v3SubjectKeyIdentifier. > > > > Is the change necessary? > > > > This is all the more confusing since in line 83 the "v3" has been > > dropped from the profile URI. > > > > The follwing email explains the rationale behind these changes. > > Ron Monzillo <Ronald.Monzillo@Sun.COM> wrote on 06/24/2004 03:14:07 PM: > > > Excerpt from minutes - "Minutes for WSS TC June 01, 2004" > > > > >293 - X509 V1 certificates are obsolete, Irving Reid thinks there is no > > >particular reason to exclude them. TC polled for objections to add > them. > > >Ronald Monzillo will write up a proposal on this topic for TC > review and > > >action. Issue Pending > > > > The general idea, is to remove the apparent prohibition on the > encapsulation > > of X509v1 certificates as Binary Security Tokens. > > > > The x509 Certificate Token Profile includes 5 version specific X509 > references > > > > Line 113: table of contents entry for section 3.1.1 > > > > table below line 172: defines ValueType URI (i.e. for > BinarySecurityToken > > > > line 174: section 3.1.1 as referred to form table of contents. > > Section contains > > a comment about the association between the certificate and the type > > of end-entity > > that is authenticated by it as being defined by policy that is not > defined > > by this specification. > > > > Line 308: shows use of X509v3 valuetype in BinarySecurityToken > > > > Line 378: recommends that encryption keys be specified by an Issuer > > Serial number > > reference to an X509v3 certificate. > > > > proposed changes: > > > > Line 113: table of contents entry for section 3.1.1 > > > > regenerate table after making other changes > > > > table below line 172: defines ValueType URI (i.e. for > BinarySecurityToken > > > > remove version specification from ValueType (i.e change ValueType > to x509) > > > > line 174: section 3.1.1 as referred to from table of contents. > > Section contains > > a comment about the association between the certificate and the type > > of end-entity > > that is authenticated by it as being defined by policy that is not > defined > > by this specification. > > > > .s/3.1.1 X509v3 Token Type/3.1.1 X509 Token Type/ > > > > add > > > > The encapsulated certificate is an X509 certificate. > > The x509 certificate version is defined within the certificate. > > > > Line 308: shows use of X509v3 valuetype in BinarySecurityToken > > > > .s/wsse:X509v3/wsse:X509/ > > > > Line 378: recommends that encryption keys be specified by an Issuer > > Serial number > > reference to an X509v3 certificate. > > > > .s/wsse:x509v3/X509/ > > > > The profile refers to subject key identifiers (an extension not > > available in X509v1) > > in 8 places > > > > line 117: table of contents entry for section 3.2.1 > > line 193-5: describes use of an STR containing a subject key iddentifier > > line 204-5: section 3.2.1 as referred to from table of contents > > line 206: description of use (body of section 3.2.1) > > table below line 209: defines URI for X509SubjectKeyIdentifier valuetype > > line 213-5: description of use (also body of section 3.2.1) > > line 252: used in description of example (that follows) > > line 276: shows use of X509SubjectKeyIdentifier valuetype in STR > > > > The subjectKeyIdentifier extension is not supported by V1 certificates, > > so the profile would be changed to reflect the use of SKI KeyIdentfiers > > (only) with X509v2 certs; as follows: > > > > line 117: table of contents entry for section 3.2.1 > > > > regenerate table after making other changes > > > > line 193-5: describes use of an STR containing a subject key iddentifier > > 193s/Reference to a Subject Key Identifier/Reference to an X509 > > v3 Subject Key Identifier/ > > add following line 195 > > > > "A subject key identifier may only be used to reference an X509v3 > > certificate." > > > > line 204-5: section 3.2.1 as referred to from table of contents > > change section title to > > > > "Reference to an X509v3 Subject Key Identifier" > > 205s/X509/X509v3/ > > line 206: description of use (body of section 3.2.1) > > no change > > > > table below line 209: defines URI for X509SubjectKeyIdentifier valuetype > > in table s/X509SubjectKeyIdentifier/X509v3SubjectKeyIdentifier/ > > > > line 213-15: description of use (also body of section 3.2.1) > > 213s/X509SubjectKeyIdentifier/X509v3SubjectKeyIdentifier/ > > line 252: used in description of example (that follows) > > no change > > line 276: shows use of X509SubjectKeyIdentifier valuetype in STR > > .s/#X509SubjectKeyIdentifier/#X509v3SubjectKeyIdentifier/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]