[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xri] Re: The elements formerly known as TargetAuthority andTargetSubject
Nat Sakimura wrote: > This is easier than the previous one. > We just want an exact match. Exact matching of any XML is complicated, but with KeyInfo it isn't necessarily what you want either. Comparing PKI credentials depends on the trust model of the PKI. If you're not relying on PKIX or some other profile of X.509, there's no reason to require certificate-based equivalence, for example, but even when you are relying on that, you rarely have total control over how credentials might get expressed in some other system. Certificates get renewed, intermediate CAs change (which would affect KeyInfo if you include a chain), etc. It's superficially "easy" to require matching, but it's brittle in practice. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]