[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss] Groups - WSS-X509 draft 06-05 merged.pdf uploaded
Phill - A couple of minor suggestions. 1. As we discussed, the QNames assigned to the token types of this profile must be capable of reflecting version changes that are independent of version changes in the core specification. I believe we are awaiting guidance from the committee on how to do this in a manner that is common to all profiles. 2. (Related to 1. above). Throughout, the wsu:ValueType attribute values are currently incorrect. 3. I think the XPath URI in the second ds:Reference element in the examples should be URI="#S:Body/..". Isn't that so? 4. Line 174 should read: "If the ValueType wsse:PKCS7 is specified, then the wsse:BinarySecurityToken element SHALL contain a PKCS#7 SignedData object" 5. You might add a note to 3.3.1 along these lines: "The receiving end-point MAY use the information in the ds:X509IssuerSerial element to locate the private key-agreement key with which to decrypt the symmetric key(s). A popular way to achieve this is to calculate a digest of this information and use the result as an index to the private-key store. This, however, is a private matter with no implications for interoperability. Therefore, this profile does not prescribe a procedure." If the key-agreement certificate had contained a subjectKeyIdentifier extension, then IT could have been used as the reference. However, this identifier is not universally employed. Furthermore, Issuer and Serial number ARE required to be present, according to the standard, and they are required to have the necessary properties (i.e. in combination they uniquely identify a certificate (and thereby the private key) for a particular key-holder). So, let's keep it simple; don't specify redundant alternatives when one solution has all the necessary properties. 6. While on that subject (and again, as we discussed), it would be highly desirable to have ONE way of conveying a bag of certificates. My preference is PKCS#7. However, if the majority prefers PKIPath, then I am happy to go along. Let's not specify two solutions, just because we can. All the best. Tim. -----Original Message----- From: pbaker@verisign.com [mailto:pbaker@verisign.com] Sent: Sunday, June 29, 2003 10:16 PM To: wss@lists.oasis-open.org Subject: [wss] Groups - WSS-X509 draft 06-05 merged.pdf uploaded The document WSS-X509 draft 06-05 merged.pdf has been submitted by Phillip Hallam-Baker (pbaker@verisign.com) to the Web Services Security TC document repository. Document Description: Updates to X.509 Download Document: http://www.oasis-open.org/apps/org/workgroup/wss/download.php/2744/WSS-X509% 20draft%2006-05%20merged.pdf View Document Details: http://www.oasis-open.org/apps/org/workgroup/wss/document.php?document_id=27 44 PLEASE NOTE: If the above links do not work for you, your email application may be breaking the link into two pieces. You may be able to copy and paste the entire link address into the address field of your web browser. -OASIS Open Administration You may leave a Technical Committee at any time by visiting http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]