OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [wss] Questions regarding X.509 Certificate Token Profile


I understand what the text is trying to say. By I think it would be
more accurate to state that the key element is a verification key
not the actual key used to sign the document.

On the second one, my question is when it is a single X509v3 certificate,
what the binary format used is not clear. From the Microsoft IE browser, you
can export
a certificate in two different binary fromat, DER encoded and PKCS#7
It would be nice that the profile will specify exactly which one.

Kefeng Chen

-----Original Message-----
From: Blake Dournaee [mailto:bdournaee@sarvega.com]
Sent: Tuesday, November 04, 2003 6:49 PM
To: Kefeng Chen
Cc: wss@lists.oasis-open.org
Subject: Re: [wss] Questions regarding X.509 Certificate Token Profile

Kefeng -

The text could be slightly more clear with respect to the comment about 
KeyInfo identifying a signing key. I think the intended
meaning is "The KeyInfo element indirectly identifies the signing key or 
the signer." It is important for the Key Info element to identify a 
signing key  because it is the private signing key of the person who 
made the signature that is important.

As for your second question, the exact packaging of the certficate is 
governed by three choices at this point: 1. The raw X.509 DER encoded 
certificate, 2. The
PKIPath construction, or 3. A PKCS#7 message that contains the signer's 
certifcate among possibly other certificates. I still think that these 
types apply as we are still referencing a <BinarySecurityToken> in 
section 3.2.2.

These are my observations. Others can chime in as well.

Blake Dournaee
Senior Architect
Sarvega, Inc.

Kefeng Chen wrote:

>I have some questions regarding the WSS X.509 Certificate Token Profile
>1. At line 245 and 292, it states "The KeyInfo element specifies the
>    As I understand, the actual specified key is not a signing key. It is a
>public key 
>    or verification key.
>2. At line 212, it states "contains the binary X.509 security token data".
>It is not clear to me
>   the binary X.509 refers to DER encoded binary or PKCS#7 binary format. 
>Kefeng Chen
>To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]