OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss-x message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [dss-x] Another streamlining approach to the core




On 16-02-17 20:00, Andreas Kuehne wrote:
Hi all,

            X509IssuerSerial: well established and dtmo in use widely.

So maybe we can get away with something likes this:

    <xs:complexType name="StreamlinedKeyInfoType">
        <xs:choice>
            <xs:element name="X509IssuerSerial" >
                <complexType name="X509IssuerSerialType" mixed="false">
                    <sequence>
                        <element name="X509IssuerName" type="string"/>
                        <element name="X509SerialNumber" type="integer"/>
                    </sequence>
                </complexType>
            </xs:element>

It could be time to align with XML Signature 1.1, https://www.w3.org/TR/xmldsig-core1/ which adds

The dsig11:X509Digest element contains a base64-encoded digest of a certificate. The digest algorithm URI is identified with a required Algorithm attribute. The input to the digest must be the raw octets that would be base64-encoded were the same certificate to appear in the X509Certificate element.

That specification also remind us of the following (which I'm sure we've all encountered from time to time):

 The 
X509IssuerSerial element has been deprecated in favor of the newly-introduced dsig11:X509Digest element. The XML Schema type of the serial number was defined to be an integer, and XML Schema validators may not support integer types with decimal data exceeding 18 decimal digits [XMLSCHEMA-2]. This has proven insufficient, because many Certificate Authorities issue certificates with large, random serial numbers that exceed this limit. As a result, deployments that do make use of this element should take care if schema validation is involved. New deployments should avoid use of the element.

Greetings,


Andreas



Kind Regards,

Pim



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]