RE: [wss] Issues and proposed edits to X509 'Whatever' document

[Monica Martin <mmartin@certivo.net>]

X1-Support 1.
X2-Yes.



-----Original Message-----
From: Hallam-Baker, Phillip [mailto:pbaker@verisign.com]
Sent: Tuesday, November 26, 2002 10:48 AM
To: 'wss@lists.oasis-open.org'
Subject: [wss] Issues and proposed edits to X509 'Whatever' document


So far few changes due to complete lack of comments. I do not propose to
cycle the draft until after the title vote result is announced.

Issue 

[X1] Line 117
	The XML Signature specification defines a <RetrievalMethod>
element that may be used to specify the location of the certificate,
this is particularly important in the case that the certificate is not
packaged with the message at all and is instead referenced.

	There is an overlap between the semantics of XML Signature
<ds:RetreivalMethod>and wsse:SecurityTokenReference in that someone
might use ds:RetrievalMethod to create a reference to the header. We
have the following options

	1) Allow both methods, note that one is preferred
	2) Prohibit RetreivalMethod element pointing to the message
itself
	3) Eliminate SecurityTokenReference and state that
RetrievalMethod should be used.

I don't much like 2 as the distinction appears arbitrary to me, would we
likewise prohibit a reference to a DIME attachment??? What is in the
message anyhow? If we do 1 we need wording.

[X2] Line 94
	Should we add in options for other X.509/PKIX data structures?
	E.g. OCSP token, CRL, attribute certificate?

[X3] line 128 Section Authorization
	Specify that Authorization information may be encapsulated in
the X.509 distinguished name, extension fields or related attribute
certificates


Edits

Lines 2, 3, 6, 170
	Minor numbering edits

Line 73 Terminology
	Add in description for
	* Certificate
	* Attribute Certificate
	* OCSP Validity Token
	* Certificate Revocation List