W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2000

Re: X509Data tweaks

From: <tgindin@us.ibm.com>
Date: Thu, 17 Aug 2000 13:25:40 -0400
To: "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
cc: Kevin Regan <kevinr@valicert.com>, w3c-ietf-xmldsig@w3.org
Message-ID: <8525693E.005FBCBF.00@D51MTA04.pok.ibm.com>

     In view of your response to my later clarification, I hope you
understand that I am NOT primarily concerned about whether a bag of
certificates is represented as multiple elements within an X509Data or
multiple X509Data's within a KeyInfo.  I just want the example to
illustrate that the most common use of a bag of certs is one or more
chains.  I suppose I'll need to change my existing example, which has each
element of the chain as a separate X509Data, though  (see my earlier

          Tom Gindin

"Donald E. Eastlake 3rd" <dee3@torque.pothole.com> on 08/17/2000 08:50:58

To:   Tom Gindin/Watson/IBM@IBMUS, Kevin Regan <kevinr@valicert.com>,
Subject:  Re: X509Data tweaks

It says in the Syntax and Processing document "Multiple declarations
within KeyInfo refer to the same key."  An X509Data element is a
declaration within a KeyInfo element.  The conensus is that other
certificates than ones actualy containing a key don't "refer to" that
key.  Thus the minor change of putting multiple certificates from a
bag in an X509Data rather than one certificate each in multiple
X509Data's.  All the groups involved in current interoperability
testing seem to think this minor change is fine.

I'm sorry if you guys don't think the above is sufficient motivation
for this minor change.  Most people seem to think it is.  And since
you seem to agree that it is not a big deal, unless some consensus
materializes to change it again, it will stay multiple certificates
per X509Data element in this document.

(And if the current consensus for multiple certificates per X509Data
element disolves into anarchy, the entire section will be pulled from
this document and there will be no standard in this area for some time
until a hypothetical additional document gets written and approved.  I
believe this would damange interoperabiiity.)


From:  tgindin@us.ibm.com
X-Lotus-FromDomain:  IBMUS
To:  Kevin Regan <kevinr@valicert.com>
cc:  "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>,
Message-ID:  <8525693D.00779C08.00@D51MTA04.pok.ibm.com>
Date:  Wed, 16 Aug 2000 17:46:25 -0400
Content-type:  text/plain; charset=us-ascii
Content-Disposition:  inline
>     I don't know what this issue has to do with whether there are
>certificates in an X509Data, or multiple single-certificate X509Data's in
>KeyInfo either.  The example I was suggesting go into the specification
>actually had multiple related certificates in separate X509Data's within a
>single KeyInfo.
>          Tom Gindin
>Kevin Regan <kevinr@valicert.com>@w3.org on 08/16/2000 05:10:53 PM
>Sent by:  w3c-ietf-xmldsig-request@w3.org
>To:   "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>, Kevin Regan
>      <kevinr@valicert.com>
>cc:   w3c-ietf-xmldsig@w3.org
>Subject:  RE: X509Data tweaks
>I did notice the initial wording that talked about only
>having certificates "related" to the authentication public
>key.  However, I still don't see why this change has anything
>to do with moving from (a) multiple X509Data elements with a
>single X509Certificate to (b) a single X509Data element with
>multiple X509Certificate elements.
>It seems that the coin flip went with (a) initially.  I don't
>see why the change that you mentioned pushes us closer to (b)...
>-----Original Message-----
>From: Donald E. Eastlake 3rd [mailto:dee3@torque.pothole.com]
>Sent: Wednesday, August 16, 2000 2:16 PM
>To: Kevin Regan
>Cc: w3c-ietf-xmldsig@w3.org
>Subject: Re: X509Data tweaks
>I would say because the spec was being interpreted to prohibit having
>any cert in KeyInfo except ones with the signature verifying public
>key in them and requireing the use of RetrievalMethod to indicate
>any other related certs.
>From:  Kevin Regan <kevinr@valicert.com>
>To:  tgindin@us.ibm.com, "Donald E. Eastlake 3rd"
>Cc:  w3c-ietf-xmldsig@w3.org
>Date:  Wed, 16 Aug 2000 13:46:37 -0700
>>I'm curious why the leaning is now towards multiple certificates
>>in a single X509Data rather than 1 certificate per X509Data with
>>multiple X509Data elements?  Is there a good reason for this?  If not,
>>I don't think it would be appropriate to change the spec at this
Received on Thursday, 17 August 2000 13:26:39 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:21:34 UTC