Re: AW: [dss-x] Another streamlining approach to the core

[Pim van der Eijk <pvde@sonnenglanz.net>]

Yes I've had this requirement too for another specification (ebCore 
CPPA),  the closest I could find it was the XKMS LocateRequest.

It would be good to have a flexible pattern syntax that can match on a 
variety of fields.  For example,  for use with EN 319 412-3, one would 
need to be able to select based on the subject.organizationIdentifier.


On 17-02-17 16:17, Dr. Detlef Hühnlein wrote:
> Dear all,
>
> if the Client already knows the specific certificate, a KeySelector like dsig11:X509Digest is fine.
> However, we should probably also consider the case where the Client is only able
> to specify the class(es) of acceptable keys / certificates for the present use case (cf. CertificateFilter in
> https://www.oasis-open.org/committees/document.php?document_id=60049&wg_abbrev=dss-x ).
> Maybe both cases can be combined into one structure with a sequence of optional elements,
> which are to be logically ANDed (and not within a choice).
>
> BR,
>   dh
>   
>
> -----Ursprüngliche Nachricht-----
> Von: dss-x@lists.oasis-open.org [mailto:dss-x@lists.oasis-open.org] Im Auftrag von Andreas Kuehne
> Gesendet: Freitag, 17. Februar 2017 14:08
> An: dss-x@lists.oasis-open.org
> Betreff: Re: [dss-x] Another streamlining approach to the core
>
> Hi Pim,
>
> thanks for pointing out the aspects of XMLDSig 1.1!
>
> Thru all the years I'm quite used to identify a certificate by issuer & serial. But to keep things simple I'm in favor of replacing the X509IssuerSerial structure with X509Digest. That doesn't add too much additional complexity.
>
> Other opinions?
>
> Greetings,
>
> Andreas
> > On 16-02-17 20:00, Andreas Kuehne wrote:
> > > Hi all,
> > >
> > >               X509IssuerSerial: well established and dtmo in use widely.
> > >
> > > So maybe we can get away with something likes this:
> > >
> > >       <xs:complexType name="StreamlinedKeyInfoType">
> > >           <xs:choice>
> > >               <xs:element name="X509IssuerSerial" >
> > >                   <complexType name="X509IssuerSerialType" mixed="false">
> > >                       <sequence>
> > >                           <element name="X509IssuerName" type="string"/>
> > >                           <element name="X509SerialNumber"
> > > type="integer"/>
> > >                       </sequence>
> > >                   </complexType>
> > >               </xs:element>
> > It could be time to align with XML Signature 1.1,
> > https://www.w3.org/TR/xmldsig-core1/ which adds
> >
> > /The////|dsig11:X509Digest|////element contains a base64-encoded
> > digest of a certificate. The digest algorithm URI is identified with a
> > required////|Algorithm|////attribute. The input to the
> > digest/////must/////be the raw octets that would be base64-encoded
> > were the same certificate to appear in the X509Certificate element./
> >
> > That specification also remind us of the following (which I'm sure
> > we've all encountered from time to time):
> >
> > / The////|X509IssuerSerial|///element has been deprecated in favor of
> > the newly-introduced/////|dsig11:X509Digest|///element. The XML Schema
> > type of the serial number was defined to be an integer, and XML Schema
> > validators may not support integer types with decimal data exceeding
> > 18 decimal digits [//XMLSCHEMA-2
> > <https://www.w3.org/TR/xmldsig-core1/#bib-XMLSCHEMA-2>/]. /This has
> > proven insufficient, because many Certificate Authorities issue
> > certificates with large, random serial numbers that exceed this limit.
> > As a result, deployments that do make use of this element should take
> > care if schema validation is involved. New
> > deployments//////should////avoid use of the element./// /
> > > Greetings,
> > >
> > >
> > > Andreas
> > Kind Regards,
> >
> > Pim
>
> --
> Andreas Kühne
> phone: +49 177 293 24 97
> mailto: kuehne@trustable.de
>
> Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 Hannover Amtsgericht Hannover HRB 212612
>
> Director Andreas Kühne
>
> Company UK Company No: 5218868 Registered in England and Wales
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php