OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wss] Questions regarding X.509 Certificate Token Profile

Kefeng -

The text could be slightly more clear with respect to the comment about 
KeyInfo identifying a signing key. I think the intended
meaning is "The KeyInfo element indirectly identifies the signing key or 
the signer." It is important for the Key Info element to identify a 
signing key  because it is the private signing key of the person who 
made the signature that is important.

As for your second question, the exact packaging of the certficate is 
governed by three choices at this point: 1. The raw X.509 DER encoded 
certificate, 2. The
PKIPath construction, or 3. A PKCS#7 message that contains the signer's 
certifcate among possibly other certificates. I still think that these 
types apply as we are still referencing a <BinarySecurityToken> in 
section 3.2.2.

These are my observations. Others can chime in as well.

Blake Dournaee
Senior Architect
Sarvega, Inc.

Kefeng Chen wrote:

>I have some questions regarding the WSS X.509 Certificate Token Profile
>1. At line 245 and 292, it states "The KeyInfo element specifies the signing
>    As I understand, the actual specified key is not a signing key. It is a
>public key 
>    or verification key.
>2. At line 212, it states "contains the binary X.509 security token data".
>It is not clear to me
>   the binary X.509 refers to DER encoded binary or PKCS#7 binary format. 
>Kefeng Chen
>To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]