- From: Joseph M. Reagle Jr. <reagle@w3.org>
- Date: Thu, 07 Sep 2000 20:29:20 -0400
- To: "Donald E. Eastlake 3rd" <lde008@dma.isg.mot.com>
- Cc: w3c-ietf-xmldsig@w3.org
Ok, result shown in Editors' copy: http://www.w3.org/Signature/Drafts/WD-xmldsig-core-latest/Overview.html#sec-X509Data At 17:51 9/7/2000 -0400, Donald E. Eastlake 3rd wrote: >I haven't wrapped the text because I wasn't sure what the best width >was but white space is ignored in Base64 so spaces and new lines can >be inserted withough effecting the encoded certifciates. This is the >data provided by Tom Gindin. > >Thanks, >Donald > ><h3>4.4.4 The <a id="sec-X509Data" >name="sec-X509Data"><code>X509Data</code></a> Element</h3> > ><p><u>An <code>X509Data</code> element within <code>KeyInfo</code> >contains one or more identifiers of keys or X509 certificates (or >certificates' identifiers or revocation lists).</u> Five types of ><code>X509Data</code> are defined: > ><ol> > <li>The <code>X509IssuerSerial</code> element, which contains an > X.509 issuer distinguished name/serial number pair that SHOULD be > compliant with <u>RFC2253 [<a href="#ref-LDAP-DN">LDAP-DN</a>]</u>, > </li> > <li>The <code>X509SubjectName</code> element, which contains an > X.509 subject distinguished name that SHOULD be compliant with > <u>RFC2253 [<a href="#ref-LDAP-DN">LDAP-DN</a>]</u>, </li> > <li>The <code>X509SKI</code> element, which contains an X.509 subject key > identifier value.</li> > <li>The <code>X509Certificate</code> element, > which contains a Base64-encoded X.509v3 certificate, and</li> > <li>The <code>X509CRL</code> element, which contains a > Base64-encoded X.509v2 certificate revocation list (CRL).</li> ></ol> > ><p>Multiple declarations about a single certificate (e.g., a ><code>X509SubjectName</code> and <code>X509IssuerSerial</code> >element) MUST be grouped inside a single <code>X509Data</code> >element; multiple declarations about the same key but different >certificates (related to that single key) MUST be grouped within a >single <code>KeyInfo</code> element but MAY occur in multiple ><code>X509Data</code> elements. For example, the >following block contains two pointers to certificate-A (issuer/serial >number and SKI) and a single reference to certificate-B >(SubjectName) and also shows use of certificate elements:</p> > ><pre class="xml-example"> <KeyInfo> > <X509Data> <!-- two pointers to certificate-A --> > <X509IssuerSerial> > <X509IssuerName><span class="tx">CN=TAMURA Kent, OU=TRL, > O=IBM, > L=Yamato-shi, ST=Kanagawa, C=JP</span></X509IssuerName> > <X509SerialNumber>12345678</X509SerialNumber> > </X509IssuerSerial> > <X509SKI>31d97bd7</X509SKI> > </X509Data> > <X509Data> <!-- single pointer to certificate-B --> > <X509SubjectName>Subject of <u>Certificate > B</u></X509SubjectName> > </X509Data> <!-- certificate chain --> > <!--Signer cert, issuer C=US,O=IBM,OU=FVT,CN=arbolCA serial > 4--> > ><X509Certificate>MIICXTCCAcagAwIBAgIBBDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzEMMAoGA1UEChMDSUJNMQwwCgYDVQQLEwNGVlQxEDAOBgNVBAMTB2FyYm9sQ0EwHhcNMDAwODI0MTkyNTUyWhcNMDEwODI0MTkyNTUyWjBLMQswCQYDVQQGEwJVUzEMMAoGA1UEChMDSUJNMQwwCgYDVQQLEwNGVlQxIDAeBgNVBAMTF1RvbSBHaW5kaW4gRnJvbSBTdWJqZWN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD8C6/lRE65Okdr2/zKWzpF+wq98pyi0beJdq9vVDh8pz88NSLpvN+kUdoVIUY45Xuy0VN0qB+br8vUgG6ZfxtqLO23QrNIqsU8pAIFvQ2KdjkJnWR34yfgxIOtbqMM+l0ZE4mp+V2efnhi89NihTKOB3VcEsLnEBLy3Y3+/6r26wIDAQABo2EwXzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwEAYDVR0gBAkwBzAFBgNKQwcwEQYDVR0OBAoECMJJqBBTd2oEMBMGA1UdIwQMMAqACAEOauKKX+IEMA0GCSqGSIb3DQEBBQUAA4GBAFcdMyIpWjTT3Ulv84xPLSLAXoFaZn9SjkR+OffoekYKNNxIcugZvLAbtvANPqJAFAkXkrp9zrhFXEnVfyeER0KJKCC84GTaUfMeck65vU4OtwR7JzcPNoQyYuBjJt2B7jPAdCckfJqkvaR3UKN1cMJrGocv0PIyG721ROan3Cai > </X509Certificate> > <!-- intermediate cert subject C=US,O=IBM,OU=FVT,CN=arbolCA > issuer,C=US,O=Bridgepoint,OU=FVT,CN=tootiseCA --> > ><X509Certificate>MIICPzCCAaigAwIBAgIBBjANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLQnJpZGdlcG9pbnQxDDAKBgNVBAsTA0ZWVDESMBAGA1UEAxMJdG9vdGlzZUNBMB4XDTAwMDgyNDE5NTk0OVoXDTAyMDgyNDE5NTk0OVowOzELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA0lCTTEMMAoGA1UECxMDRlZUMRAwDgYDVQQDEwdhcmJvbENBMIGdMAsGCSqGSIb3DQEBAQOBjQAwgYkCgYEAqEF4pvvO3DjBPhXPyvBJ63lAaZXWcy7yDrMfZ8mc3IhC7B9jT3C0E5u6AALkbDdqNifyp8rlqCurjT5hzVGsCe8eKn9bjKli8GUvfX/67doh7otN5MPnu6Hq8DR8a2kjuYOT3S2qKptnlytQpG3BzgNmeaD+ijqICSHrkQcHPFMCAwEAAaNLMEkwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwEQYDVR0OBAoECAEOauKKX+IEMBMGA1UdIwQMMAqACL+hwm7BpGUEMA0GCSqGSIb3DQEBBQUAA4GBALEqW7CMC47FhMrOmh+R+1pVWtzAf87oajvMrtF7KykDj+jLEGjXnh5JMnO5e7EAHyitr1CG/p/R3u56UOzIiugvp159aiyn9up8rP1UHecGjmwYUoxpy5JC6HfSavx5uTVX5a49gn/JKX4qIcVyeVpO7y/9g9tTUfzdwKn6TmBK > </X509Certificate> > <!-- root cert subject C=US,O=Bridgepoint,OU=FVT,CN=tootiseCA > --> > ><X509Certificate>MIICSTCCAbKgAwIBAgIBADANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLQnJpZGdlcG9pbnQxDDAKBgNVBAsTA0ZWVDESMBAGA1UEAxMJdG9vdGlzZUNBMB4XDTAwMDgyMTE2MjkwMVoXDTMwMDgyMTE2MjkwMVowRTELMAkGA1UEBhMCVVMxFDASBgNVBAoTC0JyaWRnZXBvaW50MQwwCgYDVQQLEwNGVlQxEjAQBgNVBAMTCXRvb3Rpc2VDQTCBnTALBgkqhkiG9w0BAQEDgY0AMIGJAoGBALzPk+5Md5yzvKLzk20/Uh/50BlBkC1OxjEllTLl4WTBhZs4WvqCYZEri3OPnZ+m/uZTaBlDAauOfDj5dAdC1EN3eriYbK5gAKkvK1Qlyz7YPZz7tdqeIWjVXNtin9K1ye5/gviRA0/SKWPvpyqdCbWdSQkb9/s5oMSWwNdkCdpzAgMBAAGjSzBJMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MBEGA1UdDgQKBAi/ocJuwaRlBDATBgNVHSMEDDAKgAi/ocJuwaRlBDANBgkqhkiG9w0BAQUFAAOBgQAKDyn9kD0r/MAW5zCKU0mUWoa+ggo4aNgVplFFAEJdcUNGz9Zr81ggiOe2NLW59D4mGC+JbJ/yQPaUn/yLUlDaw6r7SpLFUm01DMJTDMuYqajFxujm9YZgfyrV7g5XUcqSQYB5DThEAMEwzx+9FO5MmpMTZcfwbBkN2UImct1Riw== > </X509Certificate> > </X509Data> > </KeyInfo></pre> > ><p><u>Note: Direct provision is not made for a PKCS#7 encoded >"bag" of certificates or CRLs but a set of certificates or a >CRL can occur within an <code>X509Data</code> element and multiple ><code>X509Data</code> elements can occur in a ><code>KeyInfo</code>. Whenever multiple certificates occur in an ><code>X509Data</code> element, at least one such certificate must >contain the public key which verifies the signature.</u></p> > ><pre class="xml-dtd"> > Schema Definition: > > <element name='X509Data'> > <complexType content='elementOnly'> > <choice minOccurs='1' maxOccurs='<u>1</u>'> > <sequence minOccurs='1' maxOccurs='<u>unbounded</u>'> > <choice minOccurs='1' maxOccurs='1'> > <element ref='ds:X509IssuerSerial'/> > <element name='X509SKI' type='ds:CryptoBinary'/> > <element name='X509SubjectName' type='string'/> > <u><element name='X509Certificate' > type='ds:CryptoBinary'/></u> > </choice> > </sequence> > <u><element name='X509CRL' > type='<u>ds:CryptoBinary</u>'/></u> > </choice> > </complexType> > </element> > > <element name='X509IssuerSerial'> > <complexType content='elementOnly'> > <sequence minOccurs='1' maxOccurs='1'> > <element name='X509IssuerName' type='string' minOccurs='1' > maxOccurs='1'/> > <element name='X509SerialNumber' type='<u>integer</u>' > minOccurs='1' maxOccurs='1'/> > </sequence> > </complexType> > </element> ></pre> > ><pre class="xml-dtd"> > DTD: > > <u> <!ELEMENT X509Data ((X509IssuerSerial | X509SKI | X509SubjectName > X509Certificate)+ | X509CRL)></u> > <!ELEMENT X509IssuerSerial (X509IssuerName, X509SerialNumber) > > <!ELEMENT X509IssuerName (#PCDATA) > > <!ELEMENT X509SubjectName (#PCDATA) > > <!ELEMENT X509SerialNumber (#PCDATA) > > <!ELEMENT X509SKI (#PCDATA) > > <!ELEMENT X509Certificate (#PCDATA) > > <!ELEMENT X509CRL (#PCDATA) > ></pre> _________________________________________________________ Joseph Reagle Jr. W3C Policy Analyst mailto:reagle@w3.org IETF/W3C XML-Signature Co-Chair http://www.w3.org/People/Reagle/
Received on Thursday, 7 September 2000 20:29:50 UTC