W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2000

RE: X509Data tweaks

From: Kevin Regan <kevinr@valicert.com>
Date: Wed, 16 Aug 2000 13:46:37 -0700
Message-ID: <27FF4FAEA8CDD211B97E00902745CBE201AB44F9@seine.valicert.com>
To: tgindin@us.ibm.com, "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
Cc: w3c-ietf-xmldsig@w3.org

I'm curious why the leaning is now towards multiple certificates
in a single X509Data rather than 1 certificate per X509Data with
multiple X509Data elements?  Is there a good reason for this?  If not,
I don't think it would be appropriate to change the spec at this


-----Original Message-----
From: tgindin@us.ibm.com [mailto:tgindin@us.ibm.com]
Sent: Wednesday, August 16, 2000 12:22 PM
To: Donald E. Eastlake 3rd
Cc: w3c-ietf-xmldsig@w3.org
Subject: Re: X509Data tweaks

     There seems to be a misunderstanding about what I proposed.
     The format of the return is indeed a "bag of certs".  What I was
recommending was that the (or at least one) example "bag" be one that
client software could form into a chain if it so desired.  The current
example is a bag in which the certificates have no obvious relationship.
The most common case for multiple certificates "related to a single key"
indeed the case where the certificates form one or more chains, is it

          Tom Gindin

"Donald E. Eastlake 3rd" <dee3@torque.pothole.com>@w3.org on 08/16/2000
02:04:01 PM

Sent by:  w3c-ietf-xmldsig-request@w3.org

To:   w3c-ietf-xmldsig@w3.org
Subject:  Re: X509Data tweaks


From:  tgindin@us.ibm.com
To:  Brian LaMacchia <bal@microsoft.com>
cc:  "'Donald E. Eastlake 3rd'" <dee3@torque.pothole.com>,
Message-ID:  <85256938.0081A92F.00@D51MTA04.pok.ibm.com>
Date:  Fri, 11 Aug 2000 19:36:09 -0400

>     Wouldn't the example of multiple X509Data's in a single KeyInfo
>more sense if the certificates formed a chain?  There is an example,

I don't think so.

There certainly doesn't seem to be any practical necessity for this as
most X509 handling software I know about is adapted to getting a
miscellaneous bag of certificates and sifting through it for whatever
is useful.

Mandating a "chain" would start us down the slippery sloap of just
what a valid chain is, what valid roots are, what if the chain forks
to more than one root, what if the validity periods seem expired
(valid if you ar trying to do a historic validation), don't overlap,
..., what about policies, name subordination, etc. etc. etc.
Furthermore, last I know, X509 partisans answered PGP based critics by
saying that there is no need whatsoever to use X509 certificates in a
hierarchial fashion.  You can have a pure web-of-trust model that is
based on X509 certs.  What's a "chain" in that case?


>I hope is fairly understandable, in my earlier posting
>That example has X509Data's for three separate certificates, the first
>which is an end-user certificate which was the signer of the actual
>document, the second of which is a CA certificate which is the issuer
>the first certificate, and the third of which is a root CA which was
>issuer of the second certificate.
>          Tom Gindin

Received on Wednesday, 16 August 2000 16:56:24 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:21:34 UTC