RE: [wss-comment] X509 1.0 Errata Comment

["DeMartini, Thomas" <Thomas.DeMartini@CONTENTGUARD.COM>]

I suppose even when everyone agrees to change something just because it seems to make everything "right", the reality of the fact that it was *changed* can come back to haunt us . . .
 
&Thomas.

________________________________

From: Ron Monzillo [mailto:Ronald.Monzillo@Sun.COM]
Sent: Thu 2/10/2005 7:04 AM
To: Michael McIntosh
Cc: Manveen Kaur; wss-comment@lists.oasis-open.org
Subject: Re: [wss-comment] X509 1.0 Errata Comment



Michael,

I did recommend that we change the URI for SKI to include "v3".
I also think the TC adopted and the errata implemented my recommendation
(which occurred in the larger context of including support for v1 x509
certs).

In retrospect, I cannot recover any significant reason for changing the
SKI URI.

It may be that implementations have already changed to use and expect
the modified URI.

If not, I think we should consider the feasibility of removing this
change from the errata.

Ron

Michael McIntosh wrote:

>
> Manveen Kaur <Manveen.Kaur@Sun.COM> wrote on 02/09/2005 05:16:27 PM:
>
> >
> > In Line 111 in the X509 token profile 1.0 errata [1] , the ValueType
> URI
> > is changed from #X509SubjectKeyIdentifier to
>  #X509v3SubjectKeyIdentifier.
> >
> > Is the change necessary?
> >
> > This is all the more confusing since in line 83 the "v3" has been
> > dropped from the profile URI.
> >
>
> The follwing email explains the rationale behind these changes.
>
> Ron Monzillo <Ronald.Monzillo@Sun.COM> wrote on 06/24/2004 03:14:07 PM:
>
> > Excerpt from minutes - "Minutes for WSS TC June 01, 2004"
> >
> > >293 - X509 V1 certificates are obsolete, Irving Reid thinks there is no
> > >particular reason to exclude them.  TC polled for objections to add
> them.
> > >Ronald Monzillo will write up a proposal on this topic for TC
> review and
> > >action.  Issue Pending
> >
> > The general idea, is to remove the apparent prohibition on the
> encapsulation
> > of X509v1 certificates as Binary Security Tokens.
> >
> > The x509 Certificate Token Profile includes 5 version specific X509
> references
> >
> > Line 113: table of contents entry for section 3.1.1
> >
> > table below line 172: defines ValueType URI (i.e. for
> BinarySecurityToken
> >   
> > line 174: section 3.1.1 as referred to form table of contents.
> > Section contains
> > a comment about the association between the certificate and the type
> > of end-entity
> > that is authenticated by it as being defined by policy that is not
> defined
> > by this specification.
> >
> > Line 308: shows use of X509v3 valuetype in BinarySecurityToken
> >
> > Line 378: recommends that encryption keys be specified by an Issuer
> > Serial number
> > reference to an X509v3 certificate.
> >
> > proposed changes:
> >
> > Line 113: table of contents entry for section 3.1.1
> >
> >    regenerate table after making other changes
> >
> > table below line 172: defines ValueType URI (i.e. for
> BinarySecurityToken
> >   
> >    remove version specification from ValueType (i.e change ValueType
> to x509)
> > 
> > line 174: section 3.1.1 as referred to from table of contents.
> > Section contains
> > a comment about the association between the certificate and the type
> > of end-entity
> > that is authenticated by it as being defined by policy that is not
> defined
> > by this specification.
> >
> >    .s/3.1.1 X509v3 Token Type/3.1.1 X509 Token Type/
> >
> >    add
> >
> >    The encapsulated certificate is an X509 certificate.
> >    The x509 certificate version is defined within the certificate.
> >
> > Line 308: shows use of X509v3 valuetype in BinarySecurityToken
> >
> >    .s/wsse:X509v3/wsse:X509/
> >
> > Line 378: recommends that encryption keys be specified by an Issuer
> > Serial number
> > reference to an X509v3 certificate.
> >
> >    .s/wsse:x509v3/X509/
> >
> > The profile refers to subject key identifiers (an extension not
> > available in X509v1)
> > in 8 places
> >
> > line 117: table of contents entry for section 3.2.1
> > line 193-5: describes use of an STR containing a subject key iddentifier
> > line 204-5: section 3.2.1 as referred to from table of contents
> > line 206: description of use (body of section 3.2.1)
> > table below line 209: defines URI for X509SubjectKeyIdentifier valuetype
> > line 213-5: description of use (also body of section 3.2.1)
> > line 252: used in description of example (that follows)
> > line 276: shows use of X509SubjectKeyIdentifier valuetype in STR
> >
> > The subjectKeyIdentifier extension is not supported by V1 certificates,
> > so the profile would be changed to reflect the use of SKI KeyIdentfiers
> > (only) with X509v2 certs; as follows:
> >
> > line 117: table of contents entry for section 3.2.1
> >
> >    regenerate table after making other changes
> >
> > line 193-5: describes use of an STR containing a subject key iddentifier
> >    193s/Reference to a Subject Key Identifier/Reference to an X509
> > v3 Subject Key Identifier/
> >    add following line 195
> >
> >    "A subject key identifier may only be used to reference an X509v3
> > certificate."
> >
> > line 204-5: section 3.2.1 as referred to from table of contents
> >    change section title to
> >
> >    "Reference to an X509v3 Subject Key Identifier"
> >    205s/X509/X509v3/
> > line 206: description of use (body of section 3.2.1)
> >    no change
> >
> > table below line 209: defines URI for X509SubjectKeyIdentifier valuetype
> >    in table s/X509SubjectKeyIdentifier/X509v3SubjectKeyIdentifier/
> >
> > line 213-15: description of use (also body of section 3.2.1)
> >    213s/X509SubjectKeyIdentifier/X509v3SubjectKeyIdentifier/
> > line 252: used in description of example (that follows)
> >      no change
> > line 276: shows use of X509SubjectKeyIdentifier valuetype in STR
> >    .s/#X509SubjectKeyIdentifier/#X509v3SubjectKeyIdentifier/