OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: issue 293: x509v1 certificates


Excerpt from minutes - "Minutes for WSS TC June 01, 2004"

>293 - X509 V1 certificates are obsolete, Irving Reid thinks there is no
>particular reason to exclude them.  TC polled for objections to add them.
>Ronald Monzillo will write up a proposal on this topic for TC review and
>action.  Issue Pending

The general idea, is to remove the apparent prohibition on the encapsulation
of X509v1 certificates as Binary Security Tokens. 

The x509 Certificate Token Profile includes 5 version specific X509 references

Line 113: table of contents entry for section 3.1.1

table below line 172: defines ValueType URI (i.e. for BinarySecurityToken
	
line 174: section 3.1.1 as referred to form table of contents. Section contains
a comment about the association between the certificate and the type of end-entity
that is authenticated by it as being defined by policy that is not defined
by this specification.

Line 308: shows use of X509v3 valuetype in BinarySecurityToken

Line 378: recommends that encryption keys be specified by an Issuer Serial number
reference to an X509v3 certificate. 

proposed changes:

Line 113: table of contents entry for section 3.1.1

	regenerate table after making other changes

table below line 172: defines ValueType URI (i.e. for BinarySecurityToken
	
	remove version specification from ValueType (i.e change ValueType to x509)
 
line 174: section 3.1.1 as referred to from table of contents. Section contains
a comment about the association between the certificate and the type of end-entity
that is authenticated by it as being defined by policy that is not defined
by this specification.

	.s/3.1.1 X509v3 Token Type/3.1.1 X509 Token Type/

	add 

	The encapsulated certificate is an X509 certificate. 
	The x509 certificate version is defined within the certificate.

Line 308: shows use of X509v3 valuetype in BinarySecurityToken

	.s/wsse:X509v3/wsse:X509/

Line 378: recommends that encryption keys be specified by an Issuer Serial number
reference to an X509v3 certificate.

	.s/wsse:x509v3/X509/

The profile refers to subject key identifiers (an extension not available in X509v1)
in 8 places

line 117: table of contents entry for section 3.2.1
line 193-5: describes use of an STR containing a subject key iddentifier
line 204-5: section 3.2.1 as referred to from table of contents
line 206: description of use (body of section 3.2.1)
table below line 209: defines URI for X509SubjectKeyIdentifier valuetype
line 213-5: description of use (also body of section 3.2.1)
line 252: used in description of example (that follows)
line 276: shows use of X509SubjectKeyIdentifier valuetype in STR

The subjectKeyIdentifier extension is not supported by V1 certificates,
so the profile would be changed to reflect the use of SKI KeyIdentfiers
(only) with X509v2 certs; as follows:

line 117: table of contents entry for section 3.2.1

	regenerate table after making other changes

line 193-5: describes use of an STR containing a subject key iddentifier
	193s/Reference to a Subject Key Identifier/Reference to an X509 v3 Subject Key Identifier/
	add following line 195

	"A subject key identifier may only be used to reference an X509v3 certificate."

line 204-5: section 3.2.1 as referred to from table of contents
	change section title to

	"Reference to an X509v3 Subject Key Identifier"
	205s/X509/X509v3/
line 206: description of use (body of section 3.2.1)
	no change

table below line 209: defines URI for X509SubjectKeyIdentifier valuetype
	in table s/X509SubjectKeyIdentifier/X509v3SubjectKeyIdentifier/

line 213-15: description of use (also body of section 3.2.1)
	213s/X509SubjectKeyIdentifier/X509v3SubjectKeyIdentifier/
line 252: used in description of example (that follows)
	  no change
line 276: shows use of X509SubjectKeyIdentifier valuetype in STR
	.s/#X509SubjectKeyIdentifier/#X509v3SubjectKeyIdentifier/




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]