- From: <tgindin@us.ibm.com>
- Date: Fri, 28 Jul 2000 14:54:39 -0400
- To: "Gregor Karlinger" <gregor.karlinger@iaik.at>
- cc: "Barb Fox" <bfox@Exchange.Microsoft.com>, "Joseph M. Reagle Jr." <reagle@w3.org>, "XML" <w3c-ietf-xmldsig@w3.org>, "Brian LaMacchia" <bal@microsoft.com>
I agree with you. I don't see why we should shift from having lots of
certificates allowed, with no guaranteed relationship between them, to
having only the EE certificate allowed and not allowing chains. It makes
more sense, IMO, to set requirements on which certificates are allowed
along the lines of some earlier suggestions - for example, allowing only
one EE certificate and requiring that all other certificates be part of a
certification chain for that one. We could even require that there be only
one chain and that the certificates appear in leaf-first order - it would
still be better than just a leaf and it would not be very hard to
implement.
Tom Gindin
"Gregor Karlinger" <gregor.karlinger@iaik.at>@w3.org on 07/27/2000 03:54:06
AM
Sent by: w3c-ietf-xmldsig-request@w3.org
To: "Gregor Karlinger" <gregor.karlinger@iaik.at>, "Barb Fox"
<bfox@Exchange.Microsoft.com>, "Joseph M. Reagle Jr." <reagle@w3.org>
cc: "XML" <w3c-ietf-xmldsig@w3.org>, "Brian LaMacchia"
<bal@microsoft.com>
Subject: AW: Errors and Questions
Sorry, I hit the wrong key on my keyboard, and the message was gone ...
Hi Barb,
> [GK20]Only a single certificate possible here? [Barb] Yes. One per
clause.
Please see my comment on [GK20] in my previous message:
http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000JulSep/0176.html
Regards, Gregor
---------------------------------------------------------------
Gregor Karlinger
mailto://gregor.karlinger@iaik.at
http://www.iaik.at
Phone +43 316 873 5541
Institute for Applied Information Processing and Communications
Austria
---------------------------------------------------------------
Received on Friday, 28 July 2000 14:55:05 UTC