OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] specifying the <ds:X509SKI> element

Hi Ari,

On Tue, Oct 7, 2008 at 4:40 PM, ARI KERMAIER <ARI.KERMAIER@oracle.com> wrote:
> What's meant by "the DER-encoded Subject Key Identifier (SKI) extension"?

Oops, I copied existing text from the profile document but didn't
sufficiently edit.

> Is it the entire DER-encoded Extension object, which is a sequence of OID, critical flag and value?
> Or is it the value field, which is an ASN.1 OCTET STRING, including its ASN.1 DER-encoded tags?
> Or is it the bytes of the SKI value, i.e., the content of the OCTET STRING without its tags?
> I would favor the last of these options, so we don't assume ASN.1 parsing capability on the part of an XML protocol implementation.

Yes, I think you're right.  In fact, [XMLSig] says

"The X509SKI element, which contains the base64 encoded plain (i.e.
non-DER-encoded) value of a X509 V.3 SubjectKeyIdentifier extension."

which I believe agrees with your preference.  This leads to the
following rewrite of the normative text to be included in the HoK
Assertion Profile:

"The <ds:X509Data> element MAY contain a <ds:X509SKI> element. If it
does, the <ds:X509SKI> element MUST contain the base64 encoding of the
plain (i.e., not DER-encoded) value of the Subject Key Identifier
(SKI) extension of an X.509 certificate (as specified in [XMLSig]).
If the certificate does not contain an SKI extension, the
<ds:X509Data> element MUST NOT contain a <ds:X509SKI> element."

If you prefer some different wording, let me know.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]