W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2000

Re: X509Data tweaks

From: <tgindin@us.ibm.com>
Date: Wed, 16 Aug 2000 15:21:51 -0400
To: "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
cc: w3c-ietf-xmldsig@w3.org
Message-ID: <8525693D.006A5F79.00@D51MTA04.pok.ibm.com>
     There seems to be a misunderstanding about what I proposed.
     The format of the return is indeed a "bag of certs".  What I was
recommending was that the (or at least one) example "bag" be one that
client software could form into a chain if it so desired.  The current
example is a bag in which the certificates have no obvious relationship.
The most common case for multiple certificates "related to a single key" is
indeed the case where the certificates form one or more chains, is it not?

          Tom Gindin


"Donald E. Eastlake 3rd" <dee3@torque.pothole.com>@w3.org on 08/16/2000
02:04:01 PM

Sent by:  w3c-ietf-xmldsig-request@w3.org


To:   w3c-ietf-xmldsig@w3.org
cc:
Subject:  Re: X509Data tweaks



Hi,

From:  tgindin@us.ibm.com
To:  Brian LaMacchia <bal@microsoft.com>
cc:  "'Donald E. Eastlake 3rd'" <dee3@torque.pothole.com>,
            w3c-ietf-xmldsig@w3.org
Message-ID:  <85256938.0081A92F.00@D51MTA04.pok.ibm.com>
Date:  Fri, 11 Aug 2000 19:36:09 -0400

>     Wouldn't the example of multiple X509Data's in a single KeyInfo make
>more sense if the certificates formed a chain?  There is an example, which

I don't think so.

There certainly doesn't seem to be any practical necessity for this as
most X509 handling software I know about is adapted to getting a
miscellaneous bag of certificates and sifting through it for whatever
is useful.

Mandating a "chain" would start us down the slippery sloap of just
what a valid chain is, what valid roots are, what if the chain forks
to more than one root, what if the validity periods seem expired
(valid if you ar trying to do a historic validation), don't overlap,
..., what about policies, name subordination, etc. etc. etc.
Furthermore, last I know, X509 partisans answered PGP based critics by
saying that there is no need whatsoever to use X509 certificates in a
hierarchial fashion.  You can have a pure web-of-trust model that is
based on X509 certs.  What's a "chain" in that case?

Donald

>I hope is fairly understandable, in my earlier posting
>http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000JulSep/0198.html.
>That example has X509Data's for three separate certificates, the first of
>which is an end-user certificate which was the signer of the actual
>document, the second of which is a CA certificate which is the issuer of
>the first certificate, and the third of which is a root CA which was the
>issuer of the second certificate.
>
>          Tom Gindin
Received on Wednesday, 16 August 2000 15:22:05 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:10 GMT