[wsf-c-dev] WSF4PHP API addtions

[James Clark]

> There are other options that you have to specify

We're making a long-term commitment to the WSF/PHP API, so we need to be
very careful and consider whether a proposed API corresponds to
something that we can support over a long-period of time.

>       "encryptionKeyIdentifier" => Embedded |IssuerSerial 
> |DirectReference |KeyIdentifier

I think this corresponds to the following Security Policy assertions:

> /sp:X509Token/wsp:Policy/sp:RequireKeyIdentifierReference
>    This optional element indicates that a key identifier reference is required when
>    referencing this token.
> /sp:X509Token/wsp:Policy/sp:RequireIssuerSerialReference
>    This optional element indicates that an issuer serial reference is required when
>    referencing this token.
> /sp:X509Token/wsp:Policy/sp:RequireEmbeddedTokenReference
>    This optional element indicates that an embedded token reference is required when
>    referencing this token.
> /sp:X509Token/wsp:Policy/sp:RequireThumbprintReference
>    This optional element indicates that a thumbprint reference is required when
>    referencing this token.

If so, I think we should use compatible terminology, maybe:

securityTokenReference => "KeyIdentifer" | "IssuerSerial" |
"EmbeddedToken" | "Thumbprint"

> e.g. "keyFileLocation" => /path/to/file,
>       "encryptionUser"   => value
>       "keyStorePassword" =>value

-1. These look ad-hoc and non-general to me.

How do these deal with different kinds of key store?  Even if our
implementation is currently limited, we need an API that scales up to a
full implementation.

In general, it's bad to pass filenames around.  Unless the contents of
the file is large (which it is not in this case), pass the contents as a
PHP string.

Is keyStorePassword for when the private key is protected by a
passphrase?

What's the semantics of encryptionUser?

James