[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Issue 067 - WS-Discovery - Define KeyID content in the d:Sig
|
This issue is assigned the number 067. For further discussions
on this issue, please refer to this issue number or use this thread. From: Vipul Modi Please defer discussions on this issue until a time this
issue is accepted and is assigned a number. Description: The current specification uses KeyId attribute defined on
the d:Sig element to communicate the identity of the certificate that was used for
signing and that should be used to verify the signature. In practice there are
multiple ways to identify a certificate for example, CN, SKI (Subject Key
Identifier), SHA-1 hash, public key, public key hash etc. In order for the
implementation to interoperate the spec should define what KeyId means. Proposed Resolution: X509 certificates have an extension called Subject Key
Identifier (SKI). This is used in the many internet standards and applications
today. Compact signature in WS-Discovery should use SKI. If SKI is not present
in the certificate, we should use SHA-1 hash of the public key from which SKI
is typically derived. Make following change in Section 8 Compact Signature. d:Security/d:Sig/@KeyId The key identifier of the signing token. MUST be specified
if a public key token is used. If included, it MUST be
Subject Key Identifier (see [RFC 5380] Section 4.2.1.2) of the signing token
when present or SHA-1 hash of the public key of the token. If omitted, the semantics are undefined. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]