[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] specifying the <ds:X509SKI> element
> Since the content of the SKI certificate extension (if it exists) is > not well-defined, the use of <ds:X509SKI> for the purposes of HoK > subject confirmation is more like <ds:X509SubjectName> or > <ds:X509IssuerSerial>, that is, it's only useful if there's an > underlying X.509-based PKI (which is out of scope). That's consistent with what I was hearing and reading. > I see two immediate advantages of this approach. First, it simplifies > the normative language of the Holder-of-Key Assertion Profile, and > second, it aligns with the Metadata Interoperability Profile as it's > currently written. The latter isn't a goal of the Holder-of-Key > Assertion Profile per se, but it's still an advantage of this new > approach, I think. I would agree, and I don't have any objection to treating it similarly (as part of the ability to provide hints about credentials to optimize lookup). -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]