- From: TAMURA Kent <kent@trl.ibm.co.jp>
- Date: Fri, 26 Jan 2001 11:01:03 +0900
- To: w3c-ietf-xmldsig@w3.org, cwallace@erols.com
In message "Re: Multiple IssuerSerial/SubjectName/SKI in an X509Data"
on 01/01/25, "Carl Wallace" <cwallace@erols.com> writes:
> To address these two issues the text in 1) could be revised to permit the
> use of X509Certificate elements for including different certificates in a
> single X509Data element and to restrict the use of X509IssuerSerial, X509SKI
> and X509SubjectName to identify the message signer's certificate only, in
> which case there is no need to permit multiples of these three types. This
> would still leave no means of identifying the signer when presented only a
> group of X509Certificate elements other than trial and error but it would be
> an improvement.
I agree with you.
The current specification allows [A] is signer's subject name
and [B] is issuer information of CA certificate that issued
signer's certificate. That is very confusing.
<X509Data>
<X509IssuerSerial> <!-- [B] information about CA's cert -->
<X509IssuerName>CN=grand-parent CA</X509IssuerName>
<X509SerialNumber>1234</X509SerialNumber>
</X509UsserSerial>
<X509SubjectName>CN=signer</X509SubjectName> <!-- [A] information about signer's cert -->
</X509Data>
--
TAMURA Kent @ Tokyo Research Laboratory, IBM
Received on Thursday, 25 January 2001 21:01:44 UTC