OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xri message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xri] Re: The elements formerly known as TargetAuthority and TargetSubject

Hi Scott,

Comments inline:

Scott Cantor wrote:
> Nat Sakimura wrote:
>> This is easier than the previous one.
>> We just want an exact match.
> Exact matching of any XML is complicated, but with KeyInfo it isn't
> necessarily what you want either. Comparing PKI credentials depends on the
> trust model of the PKI.
> If you're not relying on PKIX or some other profile of X.509, there's no
> reason to require certificate-based equivalence, for example, but even 
> when
> you are relying on that, you rarely have total control over how 
> credentials
> might get expressed in some other system. Certificates get renewed,
> intermediate CAs change (which would affect KeyInfo if you include a 
> chain),
> etc.
> It's superficially "easy" to require matching, but it's brittle in 
> practice.

Right. When I was writing "exact match", I was murmuring
"whatever is 'exact match'?". Anyways, none the less,
the point is that we probably have a profile and places
to reference for this case.

In case of the "1. Root ID Trust"/"Case B) : Third Party X.509 Certificate"
there probably is no place to reference to, and this is
even bigger a problem... That's what I wanted to especially express.

Do you have any suggestions?


> -- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]