OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: New Issue: Clarification on use of Key Identifier when SKI extension is not present


A new issue has arisen as a result of some interoperability testing we have been doing.

Can a KeyIdentifier be used with an X.509 Token when the certificate in question does not contain a Subject Key Identifier extension, either because it is an V1 cert or because it is simply not present in a V3 cert?

We discovered that another vendor calculates the value from the certificate if it is not present. Since there is no standardized means of calculating the SKI, this only works if there is agreement on what method to use.

We would like to see the TC do one of the following (in order of our preference):

1. Declare that the Key Identifier may not be used with an X.509 binary token unless the certificate contains an SKI extension.

2. Select a particular method of calculating the SKI and say that is must be used if the Key Identifier is used when the SKI is not present.

3. Define a scheme (valuetype) for declaring how the key identifier was calculated. One value could mean "taken from the cert" other values could define algorithms from RFC 3280, etc.

Hal


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]