OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

dss-x message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Another streamlining approach to the core

Hi all,

the last remaining big chunk of complexity in the core (imported from
XMLDSig) is the KeySelector structure. So I took a look at the elements
in details and identified some of the tags as useless:

            KeyValue:    Structure outdated, as it is limited to DSA and
RSA. Handing over the plain key to the server makes not that  much sense
to me, anyway.

            RetrievalMethod: A way to reference a key included in the
request at another point. Does not really makes too much sense for me.
In the worst case just copy the content.

            PGPData: Are PGP keys relevant for DSS? If yes, we can
transport KeyId or the Base64 content in the respective fields. A
PGP-aware server will be able to handle it.

            SPKIData: Is there any relevance of SPKI today ? 

            MgmtData: use 'not recommended' in the XMLDSig spec.

What's left are these five elements:

            X509IssuerSerial: well established and dtmo in use widely.

            X509SubjectName: quite common way to address a certificate

            X509SKI: well established and dtmo in use widely.

            X509Certificate: a verbose way to select a certificate. And
I cannot think of a use case where the server signs with a certificate
it hadn't seen before. Maybe we can drop this one in favor of X509SKI

            KeyName: a generic fallback for any other way of identifying
a key.

So maybe we can get away with something likes this:

    <xs:complexType name="StreamlinedKeyInfoType">
            <xs:element name="X509IssuerSerial" >
                <complexType name="X509IssuerSerialType" mixed="false">
                        <element name="X509IssuerName" type="string"/>
                        <element name="X509SerialNumber" type="integer"/>
            <xs:element name="X509SubjectName" type="string"/>
            <xs:element name="X509SKI" type="base64Binary"/>
            <xs:element name="X509Certificate" type="base64Binary"/>
            <xs:element name="KeyName" type="string"/>

What's your opinion?



Andreas Kühne 
phone: +49 177 293 24 97 
mailto: kuehne@trustable.de

Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 Hannover Amtsgericht Hannover HRB 212612

Director Andreas Kühne

Company UK Company No: 5218868 Registered in England and Wales 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]