OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: X.509 - Issues for next meeting

Tim has raised the following issues with the draft. Although I agree with
him on one of them they are both issues that the group has discussed before
and so there should be a decision of the group.

1. QName versioning

2. Remove either PKCS#7 or PKIPath

On 1. I think we are in agreement that there should be some form of
versioning mechanism. I believe that the discussion should consider the
following issues separately.

A - The version of the X.509 token - X509v3, X509v4 whatever
B - The version of the token profile wsse-v1 v2 - whatever

The constraints to bear in mind here are when do we want to break backwards
compatibility? For me the only reason for changing an identifier is to
explicitly break compatibility.

I think that the case B is best delt with through the URI prefix mechanism.

I think A is best dealt with by the QName stem, so we could have wsse:X509v3
as a QName.

On 2. the issue here is simplicity, it is better to avoid multiplicity of
mechanisms. PKIPath is designed to do the specific task we want. PKCS#7 is
simply a random bag of certs that promise no explicit relationship to
anything. Although we can reuse PKCS#7 for our purpose we are defining new
semantics in the process, we also end up with an unnecessary signature blob
on the path.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]