[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: X509 TP: IssuerSerial
On the WS-I BSP mailing list, we had discussed
the merits of using IssuerSerial as opposed to using SubjectKeyInfo. Can we
discuss this in tomorrow’s meeting? --ms From: Kelvin Lawrence
[mailto:klawrenc@us.ibm.com]
|
--- Begin Message ---Title: [wsi_secprofile] Issue ctp06 - Reference via ds:X509IssuerSerial
- From: "Hal Lockhart" <hlockhar@bea.com>
- To: <wsi_secprofile@lists.ws-i.org>
- Date: Thu, 10 Jun 2004 09:46:09 -0700
I would like to reopen CTP06. I have read the issues list, meeting minutes and list archive and I am not completely sure what happened to this issue.
--- End Message ---
Apparently in January (at the F2F at BEA) we decided to prohibit the use of ds:X509IssuerSerial in a STR. The discussion seems to be mostly about the posssibility of amibigious references, such as when the X.509 SubjectKeyIdentifier extension refers to the key and not the cert or when the same DN may appear in multiple certs.
Some of the text in the profile suggests that we were under the impression that ds:X509IssuerSerial was a form of Key Name. This is not the case as the example in section 3.3.3 of of the X.509 Token Profile makes clear. (In fact, it is not clear to me that the use of ds:X509IssuerSerial is actually legal as WSS core is written, but I don't want to go there.)
We rejected KeyName because would typically contain an DN or email address that might well refer to multiple certs and keys. But ds:X509IssuerSerial completely and unambigiously identifies one and only one certificate containing a particular key. PKIX makes it very clear that a properly operated CA should never issue two certificates with identical values for this element. Doing so is cause for a security advisory and is in the same category as a software bug. The ds:X509IssuerSerial element is actually LESS ambigious than the SubjectKeyIdentifier, which may identify a particular certificate or only a particular key.
For this reason I think we should at least allow the use of ds:X509IssuerSerial and personally I believe it should be prefered over Key Identifier.
Hal
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]