[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xri] Re: The elements formerly known as TargetAuthority and TargetSubject
Hi Scott, Comments inline: Scott Cantor wrote: > Nat Sakimura wrote: >> This is easier than the previous one. >> We just want an exact match. > > Exact matching of any XML is complicated, but with KeyInfo it isn't > necessarily what you want either. Comparing PKI credentials depends on the > trust model of the PKI. > > If you're not relying on PKIX or some other profile of X.509, there's no > reason to require certificate-based equivalence, for example, but even > when > you are relying on that, you rarely have total control over how > credentials > might get expressed in some other system. Certificates get renewed, > intermediate CAs change (which would affect KeyInfo if you include a > chain), > etc. > > It's superficially "easy" to require matching, but it's brittle in > practice. Right. When I was writing "exact match", I was murmuring "whatever is 'exact match'?". Anyways, none the less, the point is that we probably have a profile and places to reference for this case. In case of the "1. Root ID Trust"/"Case B) : Third Party X.509 Certificate" there probably is no place to reference to, and this is even bigger a problem... That's what I wanted to especially express. Do you have any suggestions? =nat > > -- Scott >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]