W3C home > Mailing lists > Public > public-xmlsec@w3.org > September 2010

Text on X509Data and multiple certs

From: Scott Cantor <cantor.2@osu.edu>
Date: Tue, 21 Sep 2010 11:25:44 -0400
To: <public-xmlsec@w3.org>
Message-ID: <01fa01cb59a1$428acaf0$c7a060d0$@osu.edu>
Here's the relevant text today on X509Data usage (without having been
modified to add the X509Digest option):

"Any X509IssuerSerial, X509SKI, and X509SubjectName elements that appear
MUST refer to the certificate or certificates containing the validation key.
All such elements that refer to a particular individual certificate MUST be
grouped inside a single X509Data element and if the certificate to which
they refer appears, it MUST also be in that X509Data element.

Any X509IssuerSerial, X509SKI, and X509SubjectName elements that relate to
the same key but different certificates MUST be grouped within a single
KeyInfo but MAY occur in multiple X509Data elements."

So the case of two different certs (two X509Datas), or two hashes over the
same cert (one X509Data, multiple X509Digests), are reflected, and the unit
of reuse should be KeyInfo (or perhaps X509Data, but that's not common).

I think Brian's point warrants some additional text, so I will resend my
proposal with the algorithm changes and some text on this.

-- Scott
Received on Tuesday, 21 September 2010 15:26:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 21 September 2010 15:26:19 GMT