W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > July to September 2000

Re: Comments on XML-Signature S&P draft

From: <tgindin@us.ibm.com>
Date: Fri, 29 Sep 2000 18:06:42 -0400
To: TAMURA Kent <kent@trl.ibm.co.jp>
cc: w3c-ietf-xmldsig@w3.org
Message-ID: <85256969.00797353.00@D51MTA04.pok.ibm.com>
     Response to 4.4.4 below.  The one possible issue in this area I know
of is whether there should be a restriction against placing more than one
certificate for the signer's key pair in this field, and I don't recall any
such restriction being agreed on (maybe I'm wrong).

          Tom Gindin

TAMURA Kent <kent@trl.ibm.co.jp>@w3.org on 09/28/2000 09:26:59 PM

Sent by:  w3c-ietf-xmldsig-request@w3.org

To:   w3c-ietf-xmldsig@w3.org
Subject:  Comments on XML-Signature S&P draft

Members of my group read the latest Canonical XML [1] and the
latest XML Signature [2].  The following are comments on [2]
from members.

[1] http://www.w3.org/TR/2000/WD-xml-c14n-20000907
[2] http://www.w3.org/TR/2000/WD-xmldsig-core-20000918/


4.4.4 The X509Data Element
  The specification does not describe how to include certificate
chain though certificate chain is used in the example.  In the
example, how does a signature application know which certificate
has a key to verify the signature?

[TG] The effective rule is that any certificate whose subject name matches
the issuer name of any of the other certificates included is a CA from one
of the included chains, and thus signature verification should only run on
the remaining certificates.  All of the remaining certificates (normally EE
certificates) should have the SAME public key, or they will confuse
verifiers.  Does anyone think there should be a restriction to only one EE
certificate?  Can anyone think of a way in which two EE certificates with
different keys can both be "related to that single key" in a KeyInfo?
Received on Friday, 29 September 2000 18:07:04 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:21:34 UTC