RE: [wss] Questions regarding X.509 Certificate Token Profile

[Kefeng Chen <KefengC@geotrust.com>]

Blake,

I understand the difference between the PKCS#7 and DER encoded
certificate format. But in the real world, people use both formatted
certiticates. For example, you can use both PKCS#7 and DER 
formatted single certificate with MS xenroll library to import a 
certificate into IE browser. 

My argument is that the spec should make it clear and unambiguous. 

Kefeng Chen
 
-----Original Message-----
From: Blake Dournaee [mailto:blake@sarvega.com]
Sent: Monday, November 10, 2003 2:57 PM
To: 'Kefeng Chen'; bdournaee@sarvega.com
Cc: wss@lists.oasis-open.org
Subject: RE: [wss] Questions regarding X.509 Certificate Token Profile


Kefeng,

Part of the further confusion is that PKCS#7 is actually not a
certificate format at all. PKCS#7 is a general cryptographic standard
that happens to be able to carry around sets of X.509 certificates even
though it can be used for many other things including signing and
encrypting arbitrary data.

In the context of WS-Security it is primarily used to carry a chain of
certificates (e.g. a certs only message), but there is actually only one
format for an X.509 certificate - DER encoded. Everything else is a
wrapping or further encoding ("PEM") of this basic format.

Blake Dournaee
Senior Architect
Sarvega, Inc.

-----Original Message-----
From: Kefeng Chen [mailto:KefengC@geotrust.com] 
Sent: Wednesday, November 05, 2003 7:27 AM
To: 'bdournaee@sarvega.com'
Cc: wss@lists.oasis-open.org
Subject: RE: [wss] Questions regarding X.509 Certificate Token Profile

Blake,

I understand what the text is trying to say. By I think it would be
more accurate to state that the key element is a verification key
not the actual key used to sign the document.

On the second one, my question is when it is a single X509v3
certificate,
what the binary format used is not clear. From the Microsoft IE browser,
you
can export
a certificate in two different binary fromat, DER encoded and PKCS#7
formatted.
It would be nice that the profile will specify exactly which one.

Kefeng Chen



-----Original Message-----
From: Blake Dournaee [mailto:bdournaee@sarvega.com]
Sent: Tuesday, November 04, 2003 6:49 PM
To: Kefeng Chen
Cc: wss@lists.oasis-open.org
Subject: Re: [wss] Questions regarding X.509 Certificate Token Profile


Kefeng -

The text could be slightly more clear with respect to the comment about 
KeyInfo identifying a signing key. I think the intended
meaning is "The KeyInfo element indirectly identifies the signing key or

the signer." It is important for the Key Info element to identify a 
particular
signing key  because it is the private signing key of the person who 
made the signature that is important.

As for your second question, the exact packaging of the certficate is 
governed by three choices at this point: 1. The raw X.509 DER encoded 
certificate, 2. The
PKIPath construction, or 3. A PKCS#7 message that contains the signer's 
certifcate among possibly other certificates. I still think that these 
types apply as we are still referencing a <BinarySecurityToken> in 
section 3.2.2.

These are my observations. Others can chime in as well.

Blake Dournaee
Senior Architect
Sarvega, Inc.

Kefeng Chen wrote:

>I have some questions regarding the WSS X.509 Certificate Token Profile
>spec. 
>
>1. At line 245 and 292, it states "The KeyInfo element specifies the
signing
>key...". 
>    As I understand, the actual specified key is not a signing key. It
is a
>public key 
>    or verification key.
>
>2. At line 212, it states "contains the binary X.509 security token
data".
>It is not clear to me
>   the binary X.509 refers to DER encoded binary or PKCS#7 binary
format. 
>
>Kefeng Chen
>
>
>To unsubscribe from this mailing list (and be removed from the roster
of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup
.php
.
>  
>