SPKI-XML Certificate Structure

[December 18, 2001]   IETF Internet Draft for SPKI-XML Certificate Structure.    A posting from Xavier Orri (Octalis SA, Belgium) announces the submission of an informational Internet Draft document on "SPKI-XML Certificate Structure." The schema design takes an approach intentionally different than that of J. Paajarvi in "XML Encoding of SPKI Certificates" (March 2000). The authors' goal in the document "is to promote a discussion within the XML and SPKI community of the subject of XML encoding of SPKI certificates, to receive comments and feedback, and to further evolve it until there is something really solid and agreed upon. The draft document presents an schema in detail for SPKI, and discusses the transcoding from and to S-Expressions; it also addresses some open issues that need to be further discussed with the XML and SPKI community. A principal objective in specifying the XML Schema has been to follow as much as possible the syntax and semantics defined by SPKI; the main goal was not that of defining an XML Schema for certification, but rather defining an XML Schema for the XML encoding of SPKI certificates such that transcoding from and to S-expressions is simple, using standard tools whenever possible." A corresponding XML DTD is also provided in the submission. [Full context]

Bibliographic information for ID SPKI-XML Certificate Structure: IETF Internet Draft. Edited by Joan-Maria Mas Ribes and Xavier Orri Sainz de los Terreros. Reference: 'draft-orri-spki-xml-cert-struc-00.txt'. Date: November 2001, expires May 2002. Category: Informational. 93 pages.

This draft suggests a standard form for transforming SPKI certificates encoded using S-expressions from and to XML documents. We present a XML Schema for the encoding and validation of SPKI certificates and other SPKI objects such as sequences and ACLs, and discuss different possibilities for the transformation of S- expressions into an XML document and vice-versa. The XML Schema is based on the [IETF Draft] "SPKI Certificate Structure". The main emphasis of this document is on the encoding of all SPKI constructs under XML. Additionally, this draft provides a short discussion on specific possibilities for the transformation of S- expression encoded certificates to and from XML encoded certificates. The SPKI Certificate Theory is explained in RFC2693; it is not the intention or the objective of this document to address certificate design issues.

This document represents a continuation to some, a different approach to others, of the work initiated by J. Paajarvi relative to the XML encoding of SPKI certificates in [PAAJ = "XML Encoding of SPKI Certificates," March 2000]. The authors feel both initiatives share the same goal, but take different approaches. The work in this document is based on XML Schemas instead of DTDs. [PAAJ] defines a DTD that somewhat "breaks" the syntax as defined in SPKI and make the trans-coding from/to XML to/from S-expressions rather complex. In the present document this trans-coding was one of the design goals. Furthermore, [PAAJ] is based on XML digital signatures as defined in ["XML-Signature Syntax and Processing"]. The authors do not believe this is the best approach in this case.

The first sections of this document and its structure match that of the SPKI Certificate Structure (SPKI) as much as possible. Our intention is to facilitate the reading of this document to those already familiarized with the specification of SPKI certificates.

[June 30, 2000] "SPKI. Simple Public Key Certificate." See: IETF Internet Draft "draft-ietf-spki-cert-structure-06.txt".

Abstract: "This draft suggests a standard form for encoding SPKI certificates in XML as opposed to the original s-expression encoding defined in [SPKI]. The standard form is defined as an XML document type definition (DTD). The main emphasis is on the XML-encoding of an authorization certificate that is the basic SPKI certificate form. This draft provides also a brief introduction to XML and a short discussion about the benefits of choosing XML as the certificate encoding format. In addition, this draft discusses the problems of automatic processing of tags (attributes and authorizations transferred by a certificate are called tags in SPKI) when reducing certificates. An example of encoding Java permissions in an SPKI certificate is given to demonstrate the problem and, finally, a solution to this problem is suggested."

The actual semantics and theory of SPKI certificates are discussed in more detail in RFC 2693 "SPKI Certificate Theory" [RFC2693]. The already expired draft "Simple Public Key Certificate" [SPKI] defines s-expression structures for SPKI certificates. Basically, this draft discusses SPKI as it is presented in [SPKI]. The major difference is the use of XML-encoding. In addition, a problem in SPKI tag processing is discussed and a solution is proposed. The main content of this draft is the XML-encoding of SPKI authorization certificates. Authorization certificates are the most important SPKI certificate structure. XML DTD definitions are also given for name certificates, ACLs, CRLs and online test reply formats, but these structures are not explained in this draft. [SPKI] explains the semantics of these objects. This version does not have any definition of sequence formats presented in [SPKI]. These shortages may be fixed in the next versions of this draft. Unlike [SPKI], this document does not describe 5-tuple reduction rules. The descriptions in [RFC2693] and [SPKI] are considered to be sufficient."

Background: "Certificates are needed as a part of security architecture in many applications. Because of their complexity, only few developers are able to implement certificate tools and utilize certificates in their own applications. Certificate tools are also very expensive due to the complexity of certificate technology. Cryptography is surely the most difficult technology that must be mastered in implementing certificate tools. Another difficulty often faced by programmers is the encoding format required for certificates. X.509 certificates are encoded as ASN.1 data structures, and SPKI certificates utilize s-expressions as their encoding format. Neither of these encoding formats are widely used in the Internet. This raises the question: 'Could there be a simpler, more widely used format for encoding certificates?' This draft suggests the use of XML as the encoding format for certificates and represents a standard form for encoding SPKI authorization certificates in XML. There are a number of reasons why XML is a good choice for encoding certificates. . ."

"This draft suggests the use of XML-encoding for SPKI certificates. The main purpose of this draft is to define the XML-encoding, not to present new ideas about SPKI."

References:

• SPKI-XML Certificate Structure. Internet Draft 'draft-orri-spki-xml-cert-struc-00.txt'

• Transformation from S-expressions to XML documents. Code and examples from C. M. Ellison. [cache]

• XML Encoding of SPKI Certificates. Juha Paajarvi (First Hop Ltd., Finland). E-mail: juha.paajarvi@firsthop.com Reference: "draft-paajarvi-xml-spki-cert-00.txt". March, 2000. [cache]

• SPKI XML DTD - From the March 2000 draft.

• SPKI Certificate Documentation

• The SPKI Working Group

• 'The theory behind SPKI certificates has been summarized in a journal paper: Ellison, "The nature of a usable PKI", Computer Networks 31 (1999), pages 823-830. This paper includes figures that might help in reading RFC2693, although the RFC is far more detailed and complete than this paper.'

• SPKI WG Archives