kmip message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: [kmip] Digital Signature Algorithm attribute: Multiple-instances allowed: Yes and No
- From: "Featherstone, David" <David.Featherstone@safenet-inc.com>
- To: "kmip@lists.oasis-open.org" <kmip@lists.oasis-open.org>
- Date: Mon, 9 Jun 2014 15:56:33 -0400
Greetings
The KMIP spec states that the 3.16 Digital Signature Algorithm [see ([KMIP v1.2] Table 76) attribute can have multiple instances in the case of PGP keys, but may not have multiple instances in the case of X.509 certificates. i.e. The set
of single-instance attributes is different depending on the type of managed object. This call-me-maybe attribute interferes with an implementation's ability to define a single, exhaustive set of single-instance attributes.
I further notice that the KMIP spec has created X.509-specific attributes for Identifier, Subject and Issuer:
- 3.10 X.509 Certificate Identifier
- 3.11 X.509 Certificate Subject
- 3.12 X.509 Certificate Issuer
Given that the PGP certificate type has been deprecated as of KMIP v1.2 [see [KMIP v1.2] 2.2.1 Certificate)], I wonder if we could follow the above pattern and create an X.509 Digital Signature Algorithm attribute, whose Attribute Rules table would
unambiguously indicate "Multiple instances permitted=No"? [And the existing 3.16 Digital Signature Algorithm attribute's description could be changed (a) to refer only to PGP keys, and (b) to indicate unambiguously that "Multiple instances permitted=Yes"?]
Cheers,
… Dave
The information contained in this electronic mail transmission
may be privileged and confidential, and therefore, protected
from disclosure. If you have received this communication in
error, please notify us immediately by replying to this
message and deleting it from your computer without copying
or disclosing it.
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]