[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [wss] New Issue: Clarification on use of Key Identifier whenSKI extension is not present
> What we'd like to propose is a simple alternative whereby if a SKI isn't > present, the token profile defines the default SKI as the SHA1 digest of > the certificate octets prior to base64 encodining and insertion into a > <wsse:BinarySecurityToken> element. I object to this proposal because it changes the semantics of the SKI, which is explicitly called out as a *key* identifier, to something like a CUI (cert unique identifier). X509SKI has particular semantics, and this proposal changes them. I don't think we should do that. In addition to just being wrong :), it adds to the confusion around SKI: "using the SKI can lead to incorrect trust decisions unless the cert has no SKI." I think we must either define a new cert identifier, wss:X509CUI, which has its own deployment and propagation issues, or leave things as they are. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]