[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: issue 293: x509v1 certificates
Excerpt from minutes - "Minutes for WSS TC June 01, 2004" >293 - X509 V1 certificates are obsolete, Irving Reid thinks there is no >particular reason to exclude them. TC polled for objections to add them. >Ronald Monzillo will write up a proposal on this topic for TC review and >action. Issue Pending The general idea, is to remove the apparent prohibition on the encapsulation of X509v1 certificates as Binary Security Tokens. The x509 Certificate Token Profile includes 5 version specific X509 references Line 113: table of contents entry for section 3.1.1 table below line 172: defines ValueType URI (i.e. for BinarySecurityToken line 174: section 3.1.1 as referred to form table of contents. Section contains a comment about the association between the certificate and the type of end-entity that is authenticated by it as being defined by policy that is not defined by this specification. Line 308: shows use of X509v3 valuetype in BinarySecurityToken Line 378: recommends that encryption keys be specified by an Issuer Serial number reference to an X509v3 certificate. proposed changes: Line 113: table of contents entry for section 3.1.1 regenerate table after making other changes table below line 172: defines ValueType URI (i.e. for BinarySecurityToken remove version specification from ValueType (i.e change ValueType to x509) line 174: section 3.1.1 as referred to from table of contents. Section contains a comment about the association between the certificate and the type of end-entity that is authenticated by it as being defined by policy that is not defined by this specification. .s/3.1.1 X509v3 Token Type/3.1.1 X509 Token Type/ add The encapsulated certificate is an X509 certificate. The x509 certificate version is defined within the certificate. Line 308: shows use of X509v3 valuetype in BinarySecurityToken .s/wsse:X509v3/wsse:X509/ Line 378: recommends that encryption keys be specified by an Issuer Serial number reference to an X509v3 certificate. .s/wsse:x509v3/X509/ The profile refers to subject key identifiers (an extension not available in X509v1) in 8 places line 117: table of contents entry for section 3.2.1 line 193-5: describes use of an STR containing a subject key iddentifier line 204-5: section 3.2.1 as referred to from table of contents line 206: description of use (body of section 3.2.1) table below line 209: defines URI for X509SubjectKeyIdentifier valuetype line 213-5: description of use (also body of section 3.2.1) line 252: used in description of example (that follows) line 276: shows use of X509SubjectKeyIdentifier valuetype in STR The subjectKeyIdentifier extension is not supported by V1 certificates, so the profile would be changed to reflect the use of SKI KeyIdentfiers (only) with X509v2 certs; as follows: line 117: table of contents entry for section 3.2.1 regenerate table after making other changes line 193-5: describes use of an STR containing a subject key iddentifier 193s/Reference to a Subject Key Identifier/Reference to an X509 v3 Subject Key Identifier/ add following line 195 "A subject key identifier may only be used to reference an X509v3 certificate." line 204-5: section 3.2.1 as referred to from table of contents change section title to "Reference to an X509v3 Subject Key Identifier" 205s/X509/X509v3/ line 206: description of use (body of section 3.2.1) no change table below line 209: defines URI for X509SubjectKeyIdentifier valuetype in table s/X509SubjectKeyIdentifier/X509v3SubjectKeyIdentifier/ line 213-15: description of use (also body of section 3.2.1) 213s/X509SubjectKeyIdentifier/X509v3SubjectKeyIdentifier/ line 252: used in description of example (that follows) no change line 276: shows use of X509SubjectKeyIdentifier valuetype in STR .s/#X509SubjectKeyIdentifier/#X509v3SubjectKeyIdentifier/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]