[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss] Questions regarding X.509 Certificate Token Profile
Blake, I understand the difference between the PKCS#7 and DER encoded certificate format. But in the real world, people use both formatted certiticates. For example, you can use both PKCS#7 and DER formatted single certificate with MS xenroll library to import a certificate into IE browser. My argument is that the spec should make it clear and unambiguous. Kefeng Chen -----Original Message----- From: Blake Dournaee [mailto:blake@sarvega.com] Sent: Monday, November 10, 2003 2:57 PM To: 'Kefeng Chen'; bdournaee@sarvega.com Cc: wss@lists.oasis-open.org Subject: RE: [wss] Questions regarding X.509 Certificate Token Profile Kefeng, Part of the further confusion is that PKCS#7 is actually not a certificate format at all. PKCS#7 is a general cryptographic standard that happens to be able to carry around sets of X.509 certificates even though it can be used for many other things including signing and encrypting arbitrary data. In the context of WS-Security it is primarily used to carry a chain of certificates (e.g. a certs only message), but there is actually only one format for an X.509 certificate - DER encoded. Everything else is a wrapping or further encoding ("PEM") of this basic format. Blake Dournaee Senior Architect Sarvega, Inc. -----Original Message----- From: Kefeng Chen [mailto:KefengC@geotrust.com] Sent: Wednesday, November 05, 2003 7:27 AM To: 'bdournaee@sarvega.com' Cc: wss@lists.oasis-open.org Subject: RE: [wss] Questions regarding X.509 Certificate Token Profile Blake, I understand what the text is trying to say. By I think it would be more accurate to state that the key element is a verification key not the actual key used to sign the document. On the second one, my question is when it is a single X509v3 certificate, what the binary format used is not clear. From the Microsoft IE browser, you can export a certificate in two different binary fromat, DER encoded and PKCS#7 formatted. It would be nice that the profile will specify exactly which one. Kefeng Chen -----Original Message----- From: Blake Dournaee [mailto:bdournaee@sarvega.com] Sent: Tuesday, November 04, 2003 6:49 PM To: Kefeng Chen Cc: wss@lists.oasis-open.org Subject: Re: [wss] Questions regarding X.509 Certificate Token Profile Kefeng - The text could be slightly more clear with respect to the comment about KeyInfo identifying a signing key. I think the intended meaning is "The KeyInfo element indirectly identifies the signing key or the signer." It is important for the Key Info element to identify a particular signing key because it is the private signing key of the person who made the signature that is important. As for your second question, the exact packaging of the certficate is governed by three choices at this point: 1. The raw X.509 DER encoded certificate, 2. The PKIPath construction, or 3. A PKCS#7 message that contains the signer's certifcate among possibly other certificates. I still think that these types apply as we are still referencing a <BinarySecurityToken> in section 3.2.2. These are my observations. Others can chime in as well. Blake Dournaee Senior Architect Sarvega, Inc. Kefeng Chen wrote: >I have some questions regarding the WSS X.509 Certificate Token Profile >spec. > >1. At line 245 and 292, it states "The KeyInfo element specifies the signing >key...". > As I understand, the actual specified key is not a signing key. It is a >public key > or verification key. > >2. At line 212, it states "contains the binary X.509 security token data". >It is not clear to me > the binary X.509 refers to DER encoded binary or PKCS#7 binary format. > >Kefeng Chen > > >To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup .php . > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]