W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2000

thoughts on X509Data

From: Kevin Regan <kevinr@valicert.com>
Date: Thu, 17 Aug 2000 13:28:01 -0700
Message-ID: <27FF4FAEA8CDD211B97E00902745CBE201AB45F1@seine.valicert.com>
To: John Boyer <jboyer@PureEdge.com>, XML DSig <w3c-ietf-xmldsig@w3.org>

I want to share one final thought about X509Data.  When creating a
KeyName, KeyValue,
PGPData, MgmtData, RetrievalMethod, etc., we are referring to the data
for exactly one key.
However, with X509Data, we can refer to a multitude of
keys/certificates.  I propose that
we bring X509Data (back) in line with all the other KeyInfo elements.
This would make a lot
more sense for implementations that come across an X509Data element.  If
we restrict
each X509Data element to refer to only a single certificate, we offer
consistency with all
the other KeyInfo elements.  Without this, X509Data becomes somewhat of
an anomaly.

To this end, I propose the following:

<!ELEMENT X509Data ( (X509IssuerSerial?, X509SKI?, X509SubjectName?) |
X509Certificate | X509CRL )>

In other words, either one of X509IssuerSerial, X509SKI, or
X509SubjectName (in order), or one X509Certificate, or
one X509CRL.  This seems much more consistent with the other KeyInfo
elements and is much easier
to deal with conceptually, from an API standpoint, and for
implementations.

--Kevin



Received on Thursday, 17 August 2000 16:37:52 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:10 GMT