OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Minutes minutes SSTC/SAML concall Tue 21-Oct-2008

> ts: it came up on last call, started from a comment Scott Cantor (sc)
> wrt previous version of profile, has to do with <ds: x509 cert> element --
> what is format of such cert?  his comment had to do with encoding, spec
> encoding should be DER, but perhaps it should be left unspecified. I
> change it in this rev of the doc, because I don't see wisdom in that, not
> sure why someone would not specifiy it, it would make it difficult for RP
> do confirmation w/o knowing what the encoding is, hoping someone can
> this, AFAIK that is only significant issue remaining in that profile

The justification for not requiring DER is that doing so would be analagous
to us requiring XML be encoded as UTF-8 instead of relying on the XML to
signal the encoding used.

In the case of certificates, ASN.1 is the substrate and, I'm led to
understand, implementations of ASN.1 libraries handle the encodings that
people use, just as XML parsers handle the encodings that people use.

In other words, I'm told that it's left open in XMLSignature for a reason,
and it's not clear to me why we have any better reason to constrain it than
we would for the XML encoding.

Alternatively, I guess I'd be in favor of making this a RECOMMENDED
encoding, but doing that in SAML core itself, rather than requiring every
profile that touches this element to repeat it.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]