wss message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: X.509v1 Certificate Support in 1.0 Errata
- From: Michael McIntosh <mikemci@us.ibm.com>
- To: wss@lists.oasis-open.org
- Date: Tue, 22 Feb 2005 14:14:13 -0500
The current errata [1] line 211 and
[2] sections 3.3 thru 3.7 implement changes intended to allow X.509v1 certificates
to be used with WSS 1.0. The changes as described in the errata are not
backward compatible with the WSS 1.0 standard. This has resulted in confusion
and interoperability problems since some vendors are implementing according
to the errata and others are implementing according to the WSS 1.0 standard.
I suggest we revisit the errata to allow
use of X.509v1 certificates while retaining backwards compatibility with
the WSS 1.0 standard. My preferred alternative would be to rollback the
change of the URI from "...#X509v3" to "...#X509",
rollback the change of the URI from "...#X509SubjectKeyIdentifier"
to "...#X509v3SubjectKeyIdentifier", and add a URI for "...#X509v1".
Specific changes would be:
Revise [1] as follows:
1) replace the 3rd row of the table
on line 211 containing:
#X509
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-tokenprofile-1.0#X509
with two rows containing:
#X509v1
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-tokenprofile-1.0#X509v1
#X509v3
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-tokenprofile-1.0#X509v3
Revise [2] as follows:
2) change section 3.3 deleting line
82 and changing line 83 to:
Insert
a new first cell at line 172 containing:
Single
certificate #X509v1 An X.509 v1 signature-verification certificate.
3) remove section 3.6
4) remove section 3.7
A less attractive (to me) alternative
to the "...#X509v1" URI described in #1 would be to add a statement
to the errata that makes it clear that you may include an X.509v1 certificate
when the URI states "...#X509v3". The reason I find this less
attractive is that it changes the expected behavior of the existing URI.
By adding a new URI we allow implementations to support X.509v1 while allowing
those that chose not to to correctly function without change.
Thanks,
Mike
[1] Web Services Security: SOAP Message
Security 1.0 (WS-Security 2004) Errata 1.0 Committee Draft 200401, October
2004
http://www.oasis-open.org/committees/download.php/11146/oasis-200401-wss-soap-message-security-1.0-errata-004.pdf
[2] Web Services Security: X.509 Token
Profile 1.0 Errata 1.0 Committee Draft 200401, October 2004
http://www.oasis-open.org/committees/download.php/11145/oasis-200401-x509-token-profile-1.0-errata-004.pdf
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]