OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xri message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xri] Re: The elements formerly known as TargetAuthority andTargetSubject


Nat Sakimura wrote:
> This is easier than the previous one.
> We just want an exact match.

Exact matching of any XML is complicated, but with KeyInfo it isn't 
necessarily what you want either. Comparing PKI credentials depends on the 
trust model of the PKI.

If you're not relying on PKIX or some other profile of X.509, there's no 
reason to require certificate-based equivalence, for example, but even when 
you are relying on that, you rarely have total control over how credentials 
might get expressed in some other system. Certificates get renewed, 
intermediate CAs change (which would affect KeyInfo if you include a chain), 
etc.

It's superficially "easy" to require matching, but it's brittle in practice.

-- Scott


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]