md-distro - Re: [md-distro] Agenda: Review and Final Meeting [0169395#]
Subject: Metadata Distribution Subcommittee of TAC
List archive
- From: Tom Scavo <>
- To:
- Subject: Re: [md-distro] Agenda: Review and Final Meeting [0169395#]
- Date: Thu, 16 Jan 2014 12:54:19 -0500
On Thu, Jan 16, 2014 at 12:07 PM, Cantor, Scott
<>
wrote:
> On 1/16/14, 11:28 AM, "Joe St Sauver"
> <>
> wrote:
>>
>>-- The signing certifcate is defined as: "an X.509v3 certificate
>>containing a public key used to verify the signature on a metadata file;
>>a container for an RSA 2048-bit public key"
>>
>>Might it be better to describe the cert as "an X.509v3 (RFC3280) digital
>>certificate tying an identity to a public/private keypair"?
That RFC is obsolete but in any case...
> No, there is no identity involved from the point of view of how the
> certificate is being used. Adding in language that turns the certificate
> into something more than a key container is definitely not the direction
> we want.
Agreed, but the fact that this triggered a response from Joe says that
the wording is not correct. How 'bout if we change this:
"an X.509v3 certificate containing a public key"
to this:
"a self-signed X.509v3 certificate containing a public key"
?
Joe, to understand why your suggestion is actually a step in reverse,
you have to go back to Phase 1 and recall that we've completely
eliminated all traces of the legacy X.509 PKI associated with the
metadata signing key. So adding a reference to RFC5280 (or whatever)
is actually a contradiction.
>>And as for the public key "container," in InCommon usage, wouldn't that
>>actually normally be a PEM-format file, e.g.,
>>http://md.incommon.org/certs/inc-md-cert.pem ?
>
> It could be in any format you can express a certificate, I guess, PEM
> included.
The word "container" is used here in a completely non-technical
manner. For the purposes of this document, the format of the
certificate is irrelevant. In fact, if we could remove the certificate
wrapper and expose the bare public key (without breaking anything), we
would.
>>(btw, if you try to go to https://md.incommon.org/certs/inc-md-cert.pem
>>you get a cert error, because that host uses a cert that's only valid
>>for wayf.incommonfederation.org,
>
> I don't think the TLS option was on the table, based on the last round of
> conversation about this on TAC, but I'd have to go back and look.
Right, this is still an open question. IJ and I need to consider our
options and then I promised TAC I would bring this issue back for
further discussion and eventual resolution.
Tom
- [md-distro] Agenda: Review and Final Meeting [0169395#], John Krienke, 01/16/2014
- Re: [md-distro] Agenda: Review and Final Meeting [0169395#], Mark K. Miller, 01/16/2014
- <Possible follow-up(s)>
- Re: [md-distro] Agenda: Review and Final Meeting [0169395#], Joe St Sauver, 01/16/2014
- Re: [md-distro] Agenda: Review and Final Meeting [0169395#], Cantor, Scott, 01/16/2014
- Re: [md-distro] Agenda: Review and Final Meeting [0169395#], Tom Scavo, 01/16/2014
- Re: [md-distro] Agenda: Review and Final Meeting [0169395#], Cantor, Scott, 01/16/2014
Archive powered by MHonArc 2.6.16.