W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2000

Re: X509Data with improved example

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Thu, 07 Sep 2000 20:29:20 -0400
Message-Id: <4.3.2.7.2.20000907202910.00ba4178@rpcp.mit.edu>
To: "Donald E. Eastlake 3rd" <lde008@dma.isg.mot.com>
Cc: w3c-ietf-xmldsig@w3.org
Ok, result shown in Editors' copy:

http://www.w3.org/Signature/Drafts/WD-xmldsig-core-latest/Overview.html#sec-X509Data


At 17:51 9/7/2000 -0400, Donald E. Eastlake 3rd wrote:

>I haven't wrapped the text because I wasn't sure what the best width
>was but white space is ignored in Base64 so spaces and new lines can
>be inserted withough effecting the encoded certifciates.  This is the
>data provided by Tom Gindin.
>
>Thanks,
>Donald
>
><h3>4.4.4 The <a id="sec-X509Data"
>name="sec-X509Data"><code>X509Data</code></a> Element</h3>
>
><p><u>An <code>X509Data</code> element within <code>KeyInfo</code>
>contains one or more identifiers of keys or X509 certificates (or
>certificates' identifiers or revocation lists).</u>  Five types of
><code>X509Data</code> are defined:
>
><ol>
>   <li>The <code>X509IssuerSerial</code> element, which contains an
>   X.509 issuer distinguished name/serial number pair that SHOULD be
>   compliant with <u>RFC2253 [<a href="#ref-LDAP-DN">LDAP-DN</a>]</u>,
>   </li>
>   <li>The <code>X509SubjectName</code> element, which contains an
>   X.509 subject distinguished name that SHOULD be compliant with
>   <u>RFC2253 [<a href="#ref-LDAP-DN">LDAP-DN</a>]</u>, </li>
>   <li>The <code>X509SKI</code> element, which contains an X.509 subject key
>   identifier value.</li>
>   <li>The <code>X509Certificate</code> element,
>   which contains a Base64-encoded X.509v3 certificate, and</li>
>   <li>The <code>X509CRL</code> element, which contains a
>   Base64-encoded X.509v2 certificate revocation list (CRL).</li>
></ol>
>
><p>Multiple declarations about a single certificate (e.g., a
><code>X509SubjectName</code> and <code>X509IssuerSerial</code>
>element) MUST be grouped inside a single <code>X509Data</code>
>element; multiple declarations about the same key but different
>certificates (related to that single key) MUST be grouped within a
>single <code>KeyInfo</code> element but MAY occur in multiple
><code>X509Data</code> elements.  For example, the
>following block contains two pointers to certificate-A (issuer/serial
>number and SKI) and a single reference to certificate-B
>(SubjectName) and also shows use of certificate elements:</p>
>
><pre class="xml-example">   &lt;KeyInfo&gt;
>      &lt;X509Data&gt; &lt;!-- two pointers to certificate-A --&gt;
>        &lt;X509IssuerSerial&gt;
>          &lt;X509IssuerName&gt;<span class="tx">CN=TAMURA Kent, OU=TRL, 
> O=IBM,
>            L=Yamato-shi, ST=Kanagawa, C=JP</span>&lt;/X509IssuerName&gt;
>          &lt;X509SerialNumber&gt;12345678&lt;/X509SerialNumber&gt;
>        &lt;/X509IssuerSerial&gt;
>        &lt;X509SKI&gt;31d97bd7&lt;/X509SKI&gt;
>      &lt;/X509Data&gt;
>      &lt;X509Data&gt; &lt;!-- single pointer to certificate-B --&gt;
>        &lt;X509SubjectName&gt;Subject of <u>Certificate 
> B</u>&lt;/X509SubjectName&gt;
>      &lt;/X509Data&gt; &lt;!-- certificate chain --&gt;
>        &lt;!--Signer cert, issuer C=US,O=IBM,OU=FVT,CN=arbolCA serial 
> 4--&gt;
> 
>&lt;X509Certificate&gt;MIICXTCCAcagAwIBAgIBBDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEMMAoGA1UEChMDSUJNMQwwCgYDVQQLEwNGVlQxEDAOBgNVBAMTB2FyYm9sQ0EwHhcNMDAwODI0MTkyNTUyWhcNMDEwODI0MTkyNTUyWjBLMQswCQYDVQQGEwJVUzEMMAoGA1UEChMDSUJNMQwwCgYDVQQLEwNGVlQxIDAeBgNVBAMTF1RvbSBHaW5kaW4gRnJvbSBTdWJqZWN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD8C6/lRE65Okdr2/zKWzpF+wq98pyi0beJdq9vVDh8pz88NSLpvN+kUdoVIUY45Xuy0VN0qB+br8vUgG6ZfxtqLO23QrNIqsU8pAIFvQ2KdjkJnWR34yfgxIOtbqMM+l0ZE4mp+V2efnhi89NihTKOB3VcEsLnEBLy3Y3+/6r26wIDAQABo2EwXzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwEAYDVR0gBAkwBzAFBgNKQwcwEQYDVR0OBAoECMJJqBBTd2oEMBMGA1UdIwQMMAqACAEOauKKX+IEMA0GCSqGSIb3DQEBBQUAA4GBAFcdMyIpWjTT3Ulv84xPLSLAXoFaZn9SjkR+OffoekYKNNxIcugZvLAbtvANPqJAFAkXkrp9zrhFXEnVfyeER0KJKCC84GTaUfMeck65vU4OtwR7JzcPNoQyYuBjJt2B7jPAdCckfJqkvaR3UKN1cMJrGocv0PIyG721ROan3Cai
>        &lt;/X509Certificate&gt;
>        &lt;!-- intermediate cert subject C=US,O=IBM,OU=FVT,CN=arbolCA 
> issuer,C=US,O=Bridgepoint,OU=FVT,CN=tootiseCA --&gt;
> 
>&lt;X509Certificate&gt;MIICPzCCAaigAwIBAgIBBjANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLQnJpZGdlcG9pbnQxDDAKBgNVBAsTA0ZWVDESMBAGA1UEAxMJdG9vdGlzZUNBMB4XDTAwMDgyNDE5NTk0OVoXDTAyMDgyNDE5NTk0OVowOzELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA0lCTTEMMAoGA1UECxMDRlZUMRAwDgYDVQQDEwdhcmJvbENBMIGdMAsGCSqGSIb3DQEBAQOBjQAwgYkCgYEAqEF4pvvO3DjBPhXPyvBJ63lAaZXWcy7yDrMfZ8mc3IhC7B9jT3C0E5u6AALkbDdqNifyp8rlqCurjT5hzVGsCe8eKn9bjKli8GUvfX/67doh7otN5MPnu6Hq8DR8a2kjuYOT3S2qKptnlytQpG3BzgNmeaD+ijqICSHrkQcHPFMCAwEAAaNLMEkwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwEQYDVR0OBAoECAEOauKKX+IEMBMGA1UdIwQMMAqACL+hwm7BpGUEMA0GCSqGSIb3DQEBBQUAA4GBALEqW7CMC47FhMrOmh+R+1pVWtzAf87oajvMrtF7KykDj+jLEGjXnh5JMnO5e7EAHyitr1CG/p/R3u56UOzIiugvp159aiyn9up8rP1UHecGjmwYUoxpy5JC6HfSavx5uTVX5a49gn/JKX4qIcVyeVpO7y/9g9tTUfzdwKn6TmBK
>        &lt;/X509Certificate&gt;
>        &lt;!-- root cert subject C=US,O=Bridgepoint,OU=FVT,CN=tootiseCA 
> --&gt;
> 
>&lt;X509Certificate&gt;MIICSTCCAbKgAwIBAgIBADANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLQnJpZGdlcG9pbnQxDDAKBgNVBAsTA0ZWVDESMBAGA1UEAxMJdG9vdGlzZUNBMB4XDTAwMDgyMTE2MjkwMVoXDTMwMDgyMTE2MjkwMVowRTELMAkGA1UEBhMCVVMxFDASBgNVBAoTC0JyaWRnZXBvaW50MQwwCgYDVQQLEwNGVlQxEjAQBgNVBAMTCXRvb3Rpc2VDQTCBnTALBgkqhkiG9w0BAQEDgY0AMIGJAoGBALzPk+5Md5yzvKLzk20/Uh/50BlBkC1OxjEllTLl4WTBhZs4WvqCYZEri3OPnZ+m/uZTaBlDAauOfDj5dAdC1EN3eriYbK5gAKkvK1Qlyz7YPZz7tdqeIWjVXNtin9K1ye5/gviRA0/SKWPvpyqdCbWdSQkb9/s5oMSWwNdkCdpzAgMBAAGjSzBJMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MBEGA1UdDgQKBAi/ocJuwaRlBDATBgNVHSMEDDAKgAi/ocJuwaRlBDANBgkqhkiG9w0BAQUFAAOBgQAKDyn9kD0r/MAW5zCKU0mUWoa+ggo4aNgVplFFAEJdcUNGz9Zr81ggiOe2NLW59D4mGC+JbJ/yQPaUn/yLUlDaw6r7SpLFUm01DMJTDMuYqajFxujm9YZgfyrV7g5XUcqSQYB5DThEAMEwzx+9FO5MmpMTZcfwbBkN2UImct1Riw==
>        &lt;/X509Certificate&gt;
>      &lt;/X509Data&gt;
>    &lt;/KeyInfo&gt;</pre>
>
><p><u>Note: Direct provision is not made for a PKCS#7 encoded
>&quot;bag&quot; of certificates or CRLs but a set of certificates or a
>CRL can occur within an <code>X509Data</code> element and multiple
><code>X509Data</code> elements can occur in a
><code>KeyInfo</code>. Whenever multiple certificates occur in an
><code>X509Data</code> element, at least one such certificate must
>contain the public key which verifies the signature.</u></p>
>
><pre class="xml-dtd">
>    Schema Definition:
>
>    &lt;element name='X509Data'&gt;
>      &lt;complexType content='elementOnly'&gt;
>        &lt;choice minOccurs='1' maxOccurs='<u>1</u>'&gt;
>          &lt;sequence minOccurs='1' maxOccurs='<u>unbounded</u>'&gt;
>            &lt;choice minOccurs='1' maxOccurs='1'&gt;
>              &lt;element ref='ds:X509IssuerSerial'/&gt;
>              &lt;element name='X509SKI' type='ds:CryptoBinary'/&gt;
>              &lt;element name='X509SubjectName' type='string'/&gt;
>              <u>&lt;element name='X509Certificate' 
> type='ds:CryptoBinary'/&gt;</u>
>            &lt;/choice&gt;
>          &lt;/sequence&gt;
>          <u>&lt;element name='X509CRL' 
> type='<u>ds:CryptoBinary</u>'/&gt;</u>
>        &lt;/choice&gt;
>      &lt;/complexType&gt;
>    &lt;/element&gt;
>
>    &lt;element name='X509IssuerSerial'&gt;
>      &lt;complexType content='elementOnly'&gt;
>        &lt;sequence minOccurs='1' maxOccurs='1'&gt;
>          &lt;element name='X509IssuerName' type='string' minOccurs='1' 
> maxOccurs='1'/&gt;
>          &lt;element name='X509SerialNumber' type='<u>integer</u>' 
> minOccurs='1' maxOccurs='1'/&gt;
>        &lt;/sequence&gt;
>      &lt;/complexType&gt;
>    &lt;/element&gt;
></pre>
>
><pre class="xml-dtd">
>    DTD:
>
>  <u>  &lt;!ELEMENT X509Data ((X509IssuerSerial | X509SKI | X509SubjectName
>                       X509Certificate)+ | X509CRL)&gt;</u>
>    &lt;!ELEMENT X509IssuerSerial (X509IssuerName, X509SerialNumber) &gt;
>    &lt;!ELEMENT X509IssuerName (#PCDATA) &gt;
>    &lt;!ELEMENT X509SubjectName (#PCDATA) &gt;
>    &lt;!ELEMENT X509SerialNumber (#PCDATA) &gt;
>    &lt;!ELEMENT X509SKI (#PCDATA) &gt;
>    &lt;!ELEMENT X509Certificate (#PCDATA) &gt;
>    &lt;!ELEMENT X509CRL (#PCDATA) &gt;
></pre>


_________________________________________________________
Joseph Reagle Jr.
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/People/Reagle/
Received on Thursday, 7 September 2000 20:29:50 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:11 GMT