OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss-x message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [dss-x] Another streamlining approach to the core

Hi Pim,

thanks for pointing out the aspects of XMLDSig 1.1!

Thru all the years I'm quite used to identify a certificate by issuer &
serial. But to keep things simple I'm in favor of replacing the
X509IssuerSerial structure with X509Digest. That doesn't add too much
additional complexity.

Other opinions?

Greetings,

Andreas
>
>
> On 16-02-17 20:00, Andreas Kuehne wrote:
>> Hi all,
>>
>>              X509IssuerSerial: well established and dtmo in use widely.
>>
>> So maybe we can get away with something likes this:
>>
>>      <xs:complexType name="StreamlinedKeyInfoType">
>>          <xs:choice>
>>              <xs:element name="X509IssuerSerial" >
>>                  <complexType name="X509IssuerSerialType" mixed="false">
>>                      <sequence>
>>                          <element name="X509IssuerName" type="string"/>
>>                          <element name="X509SerialNumber"
>> type="integer"/>
>>                      </sequence>
>>                  </complexType>
>>              </xs:element>
>
> It could be time to align with XML Signature 1.1,
> https://www.w3.org/TR/xmldsig-core1/ which adds
>
> /The////|dsig11:X509Digest|////element contains a base64-encoded
> digest of a certificate. The digest algorithm URI is identified with a
> required////|Algorithm|////attribute. The input to the
> digest/////must/////be the raw octets that would be base64-encoded
> were the same certificate to appear in the X509Certificate element./
>
> That specification also remind us of the following (which I'm sure
> we've all encountered from time to time):
>
> / The////|X509IssuerSerial|///element has been deprecated in favor of
> the newly-introduced/////|dsig11:X509Digest|///element. The XML Schema
> type of the serial number was defined to be an integer, and XML Schema
> validators may not support integer types with decimal data exceeding
> 18 decimal digits [//XMLSCHEMA-2
> <https://www.w3.org/TR/xmldsig-core1/#bib-XMLSCHEMA-2>/]. /This has
> proven insufficient, because many Certificate Authorities issue
> certificates with large, random serial numbers that exceed this limit.
> As a result, deployments that do make use of this element should take
> care if schema validation is involved. New
> deployments//////should////avoid use of the element.///
> /
>> Greetings,
>>
>>
>> Andreas
>>
>>
>
> Kind Regards,
>
> Pim
>
>


-- 
Andreas Kühne 
phone: +49 177 293 24 97 
mailto: kuehne@trustable.de

Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 Hannover Amtsgericht Hannover HRB 212612

Director Andreas Kühne

Company UK Company No: 5218868 Registered in England and Wales

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]