[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Metadata for 1.1 Web Browser SSO Profile, Draft 06, 1 May 2003
Colleagues In the case where the key distributed with the metadata is a public signature-verification key, it is acceptable, desirable and conventional to sign the metadata using the corresponding private key. This is common practice for X.509 certificates. In addition, it allows the integrity of the metadata to be confirmed using an out-of-band "digest". As currently required, the integrity of the metadata has to be protected with a separate key. Presumably, it too has associated metadata that has to be distributed, protected with another key, which (in-turn) has metadata. Allowing the enclosed key to confirm the integrity of the metadata, breaks this cycle. A digest is considerably easier to distribute out-of-band than a public-key. Here is a suggestion for a digest procedure: The validation string is calculated from the binary form of the authority's self-signed certificate by operating upon it with the SHA-1 hash algorithm. The right-most 8 bytes of the resulting digest are discarded. The left-most 3 bits of each of the remaining 12 bytes are discarded. The remaining twelve 5-bit values are represented as alphanumeric characters according to the following table. 00000 > A 00001 > B ... omitting I 11000 > Z 11001 > 3 11010 > 4 ... 11111 > 9 Finally, the alphanumeric string is divided into three sub-strings, each of four characters, and the sub-strings are separated by hyphens. For example: A4HY-8KLN-9T3M This validation string is distributed out of band to the protocol. It may be distributed in software, printed on advertisements, letterhead and business cards, read over a telephone link, or it may be included in a register prepared by a third party, such as an industry association. It is true that PKIX defined a digest procedure for this purpose. But, it resulted in a string (if I recall) of 32 or 40 characters. The time taken to recite a string of that length over a telephone call exceeds my attention span. All the best. Tim. ----------------------------------------------------------------- Tim Moses 613.270.3183
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]