OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] specifying the <ds:X509SKI> element

> Since the content of the SKI certificate extension (if it exists) is
> not well-defined, the use of <ds:X509SKI> for the purposes of HoK
> subject confirmation is more like <ds:X509SubjectName> or
> <ds:X509IssuerSerial>, that is, it's only useful if there's an
> underlying X.509-based PKI (which is out of scope).

That's consistent with what I was hearing and reading.

> I see two immediate advantages of this approach.  First, it simplifies
> the normative language of the Holder-of-Key Assertion Profile, and
> second, it aligns with the Metadata Interoperability Profile as it's
> currently written.  The latter isn't a goal of the Holder-of-Key
> Assertion Profile per se, but it's still an advantage of this new
> approach, I think.

I would agree, and I don't have any objection to treating it similarly (as
part of the ability to provide hints about credentials to optimize lookup).

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]