OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: X509 TP: IssuerSerial

On the WS-I BSP mailing list, we had discussed the merits of using IssuerSerial as opposed to using SubjectKeyInfo. Can we discuss this in tomorrow’s meeting?

 

--ms

 

From: Kelvin Lawrence [mailto:klawrenc@us.ibm.com]
Sent: Monday, June 28, 2004 6:22 PM
To: wss@lists.oasis-open.org
Subject: [wss] Errata document

 


Folks, as you have hopefully noticed, the initial draft of the errata document has been uploaded. It would be great if people could take a look at it prior to our call tomorrow (Tuesday June 29th 7am Pacific Daylight Time) so that we can start to discuss the document on the call.

The document is available at this URL [1]

[1] http://www.oasis-open.org/apps/org/workgroup/wss/download.php/7488/oasis-200401-wss-soap-message-security-1.0-errata-001.pdf

Cheers
Kelvin

--- Begin Message ---
Title: [wsi_secprofile] Issue ctp06 - Reference via ds:X509IssuerSerial

I would like to reopen CTP06. I have read the issues list, meeting minutes and list archive and I am not completely sure what happened to this issue.

Apparently in January (at the F2F at BEA) we decided to prohibit the use of ds:X509IssuerSerial in a STR. The discussion seems to be mostly about the posssibility of amibigious references, such as when the X.509 SubjectKeyIdentifier extension refers to the key and not the cert or when the same DN may appear in multiple certs.

Some of the text in the profile suggests that we were under the impression that ds:X509IssuerSerial was a form of Key Name. This is not the case as the example in section 3.3.3 of of the X.509 Token Profile makes clear. (In fact, it is not clear to me that the use of ds:X509IssuerSerial is actually legal as WSS core is written, but I don't want to go there.)

We rejected KeyName because would typically contain an DN or email address that might well refer to multiple certs and keys. But ds:X509IssuerSerial completely and unambigiously identifies one and only one certificate containing a particular key. PKIX makes it very clear that a properly operated CA should never issue two certificates with identical values for this element. Doing so is cause for a security advisory and is in the same category as a software bug. The ds:X509IssuerSerial element is actually LESS ambigious than the SubjectKeyIdentifier, which may identify a particular certificate or only a particular key.

For this reason I think we should at least allow the use of ds:X509IssuerSerial and personally I believe it should be prefered over Key Identifier.

Hal

--- End Message ---

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]