OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

dss-x message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: AW: [dss-x] Another streamlining approach to the core

Dear all,

if the Client already knows the specific certificate, a KeySelector like dsig11:X509Digest is fine.
However, we should probably also consider the case where the Client is only able
to specify the class(es) of acceptable keys / certificates for the present use case (cf. CertificateFilter in 
https://www.oasis-open.org/committees/document.php?document_id=60049&wg_abbrev=dss-x ).  
Maybe both cases can be combined into one structure with a sequence of optional elements,
which are to be logically ANDed (and not within a choice).


-----Ursprüngliche Nachricht-----
Von: dss-x@lists.oasis-open.org [mailto:dss-x@lists.oasis-open.org] Im Auftrag von Andreas Kuehne
Gesendet: Freitag, 17. Februar 2017 14:08
An: dss-x@lists.oasis-open.org
Betreff: Re: [dss-x] Another streamlining approach to the core

Hi Pim,

thanks for pointing out the aspects of XMLDSig 1.1!

Thru all the years I'm quite used to identify a certificate by issuer & serial. But to keep things simple I'm in favor of replacing the X509IssuerSerial structure with X509Digest. That doesn't add too much additional complexity.

Other opinions?


> On 16-02-17 20:00, Andreas Kuehne wrote:
>> Hi all,
>>              X509IssuerSerial: well established and dtmo in use widely.
>> So maybe we can get away with something likes this:
>>      <xs:complexType name="StreamlinedKeyInfoType">
>>          <xs:choice>
>>              <xs:element name="X509IssuerSerial" >
>>                  <complexType name="X509IssuerSerialType" mixed="false">
>>                      <sequence>
>>                          <element name="X509IssuerName" type="string"/>
>>                          <element name="X509SerialNumber"
>> type="integer"/>
>>                      </sequence>
>>                  </complexType>
>>              </xs:element>
> It could be time to align with XML Signature 1.1, 
> https://www.w3.org/TR/xmldsig-core1/ which adds
> /The////|dsig11:X509Digest|////element contains a base64-encoded 
> digest of a certificate. The digest algorithm URI is identified with a 
> required////|Algorithm|////attribute. The input to the 
> digest/////must/////be the raw octets that would be base64-encoded 
> were the same certificate to appear in the X509Certificate element./
> That specification also remind us of the following (which I'm sure 
> we've all encountered from time to time):
> / The////|X509IssuerSerial|///element has been deprecated in favor of 
> the newly-introduced/////|dsig11:X509Digest|///element. The XML Schema 
> type of the serial number was defined to be an integer, and XML Schema 
> validators may not support integer types with decimal data exceeding
> 18 decimal digits [//XMLSCHEMA-2
> <https://www.w3.org/TR/xmldsig-core1/#bib-XMLSCHEMA-2>/]. /This has 
> proven insufficient, because many Certificate Authorities issue 
> certificates with large, random serial numbers that exceed this limit.
> As a result, deployments that do make use of this element should take 
> care if schema validation is involved. New 
> deployments//////should////avoid use of the element./// /
>> Greetings,
>> Andreas
> Kind Regards,
> Pim

Andreas Kühne
phone: +49 177 293 24 97
mailto: kuehne@trustable.de

Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 Hannover Amtsgericht Hannover HRB 212612

Director Andreas Kühne

Company UK Company No: 5218868 Registered in England and Wales 

To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at:

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]