W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > January to March 2001

Re: Multiple IssuerSerial/SubjectName/SKI in an X509Data

From: TAMURA Kent <kent@trl.ibm.co.jp>
Date: Fri, 26 Jan 2001 11:01:03 +0900
Message-Id: <200101260201.LAA10776@ns.trl.ibm.com>
To: w3c-ietf-xmldsig@w3.org, cwallace@erols.com

In message "Re: Multiple IssuerSerial/SubjectName/SKI in an X509Data"
    on 01/01/25, "Carl Wallace" <cwallace@erols.com> writes:
> To address these two issues the text in 1) could be revised to permit the
> use of X509Certificate elements for including different certificates in a
> single X509Data element and to restrict the use of X509IssuerSerial, X509SKI
> and X509SubjectName to identify the message signer's certificate only, in
> which case there is no need to permit multiples of these three types.  This
> would still leave no means of identifying the signer when presented only a
> group of X509Certificate elements other than trial and error but it would be
> an improvement.

I agree with you.

The current specification allows [A] is signer's subject name
and [B] is issuer information of CA certificate that issued
signer's certificate.  That is very confusing.

<X509Data>
  <X509IssuerSerial>                           <!-- [B] information about CA's cert -->
    <X509IssuerName>CN=grand-parent CA</X509IssuerName>
    <X509SerialNumber>1234</X509SerialNumber>
  </X509UsserSerial>
  <X509SubjectName>CN=signer</X509SubjectName> <!-- [A] information about signer's cert -->
</X509Data>

-- 
TAMURA Kent @ Tokyo Research Laboratory, IBM
Received on Thursday, 25 January 2001 21:01:44 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:12 GMT