W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2000

RE: XML Signature Section 4.4 (KeyInfo)

From: Kevin Regan <kevinr@valicert.com>
Date: Wed, 12 Jul 2000 15:24:26 -0700
To: Barb Fox <bfox@Exchange.Microsoft.com>, Kevin Regan <kevinr@valicert.com>, w3c-ietf-xmldsig@w3.org
Message-id: <27FF4FAEA8CDD211B97E00902745CBE2015B882C@seine.valicert.com>
I guess my confusion comes from the phrase "refer to the same key."
This wording seems
(to me anyway) to suggest that each item in KeyInfo is a different
representation for a single
key.  Certificates in a certificate chain each "refer" to (or contain) a
different key, but are used to validate
a specific key.  Maybe the wording can be changed to be more clear...
 
--Kevin

-----Original Message-----
From: Barb Fox [mailto:bfox@Exchange.Microsoft.com]
Sent: Wednesday, July 12, 2000 3:17 PM
To: Kevin Regan; w3c-ietf-xmldsig@w3.org
Subject: RE: XML Signature Section 4.4 (KeyInfo)



Kevin: 

I hope you are planning to come to the IETF where many of your questions
and a validation of your implementation assumptions with other
developers can get resolved. 

Yes, it's true:  "multiple declarations within KeyIfo can refer to the
same key." A certificate (and its parentage -- aka a chain) could be
attached by a signer as a hint to a verifier in making his making a
trust decision about the public signing key. That's the whole purpose of
KeyInfo. However, there is no reason that evidence in different forms
about the same key can be invalid. Having a public key certified by a CA
does not in any way imply that it's unique to that CA/certification
process. 

--Barb 
-----Original Message----- 
From: Kevin Regan [ mailto:kevinr@valicert.com
<mailto:kevinr@valicert.com> ] 
Sent: Wednesday, July 12, 2000 1:38 PM 
To: w3c-ietf-xmldsig@w3.org 
Subject: XML Signature Section 4.4 (KeyInfo) 



This section says: 

        "Multiple declarations within KeyInfo refer to the same key." 

Is this true?  I don't think it is if we assume that certificate 
chains might be included (as per previous discussions). 

--Kevin Regan 




Received on Wednesday, 12 July 2000 18:32:21 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:10 GMT