[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [dss-x] Another streamlining approach to the core
On 16-02-17 20:00, Andreas Kuehne
wrote:
Hi all, X509IssuerSerial: well established and dtmo in use widely. So maybe we can get away with something likes this: <xs:complexType name="StreamlinedKeyInfoType"> <xs:choice> <xs:element name="X509IssuerSerial" > <complexType name="X509IssuerSerialType" mixed="false"> <sequence> <element name="X509IssuerName" type="string"/> <element name="X509SerialNumber" type="integer"/> </sequence> </complexType> </xs:element> It could be time to align with XML Signature 1.1, https://www.w3.org/TR/xmldsig-core1/ which adds The dsig11:X509Digest element contains a
base64-encoded digest of a certificate. The digest algorithm URI
is identified with a required Algorithm attribute. The
input to the digest must be
the raw octets that would be base64-encoded were the same
certificate to appear in the X509Certificate element.
That specification also remind us of the following (which I'm sure we've all encountered from time to time): The X509IssuerSerial element has been
deprecated in favor of the newly-introduced dsig11:X509Digest element. The XML
Schema type of the serial number was defined to be an integer,
and XML Schema validators may not support integer types with
decimal data exceeding 18 decimal digits [XMLSCHEMA-2]. This
has proven insufficient, because many Certificate Authorities
issue certificates with large, random serial numbers that
exceed this limit. As a result, deployments that do make use
of this element should take care if schema validation is
involved. New deployments should avoid use of the
element.Greetings, Andreas Kind Regards, Pim |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]