OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: New Issue: Key Identifiers Should Not Be Used for Signatures

As we discussed, the algorithm(s) for computing a Key Identifier is
profile-specific. However, the one used in the Interop with X.509 certs is
based only on the Public Key, not only any unique aspect of the certificate
and I assume other profiles may do the same. Certainly the name suggests
that the value identifies the Key and not the Certificate, Ticket or

It makes perfect sense to use such an identifier when sending encrypted
data. Its only purpose is to indicate to the recipient which key of possibly
several keys it knows, should be used to decrypt the data.

However, using a key identifier to indicate the key to be used for signature
validation creates an exposure to a certificate substitution. This has been
discussed in past on the IETF PKIX list. Basically it is perfectly possible
and legal for several certificates to exist which refer to the same key
pair. Thus although the validation process succeeds, the associated identity
information is in doubt. For example, a party could later disavow a
signature by producing a certificate that contains usage constraints that
were not met. Another possibility for confusion might occur if one
certificate was revoked and the other was not, or they were revoked at
different times.

For this reason, when verifying a signature it is important for the signer
to indicate not just the key, but the certificate to be relied on.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]