Re: [xri] Re: The elements formerly known as TargetAuthority and TargetSubject

[Nat Sakimura <n-sakimura@nri.co.jp>]

Hi Scott,

Comments inline:

Scott Cantor wrote:
> Nat Sakimura wrote:
>> This is easier than the previous one.
>> We just want an exact match.
>
> Exact matching of any XML is complicated, but with KeyInfo it isn't
> necessarily what you want either. Comparing PKI credentials depends on the
> trust model of the PKI.
>
> If you're not relying on PKIX or some other profile of X.509, there's no
> reason to require certificate-based equivalence, for example, but even 
> when
> you are relying on that, you rarely have total control over how 
> credentials
> might get expressed in some other system. Certificates get renewed,
> intermediate CAs change (which would affect KeyInfo if you include a 
> chain),
> etc.
>
> It's superficially "easy" to require matching, but it's brittle in 
> practice.

Right. When I was writing "exact match", I was murmuring
"whatever is 'exact match'?". Anyways, none the less,
the point is that we probably have a profile and places
to reference for this case.

In case of the "1. Root ID Trust"/"Case B) : Third Party X.509 Certificate"
there probably is no place to reference to, and this is
even bigger a problem... That's what I wanted to especially express.

Do you have any suggestions?

=nat

>
> -- Scott
>