W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > January to March 2001

Re: The X509Data Element clarification...

From: Tom Gindin <tgindin@us.ibm.com>
Date: Wed, 14 Feb 2001 07:58:12 -0500
To: "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
Cc: "Donald E. Eastlake 3rd" <lde008@dma.isg.mot.com>, w3c-ietf-xmldsig@w3.org
Message-ID: <OF7A9F259B.9DC4AB24-ON852569F3.00471373@somers.hqregion.ibm.com>

     This wording is better than what I was coming up with.  But on a
related subject, why isn't the rule about elements for different but
related certificates that they SHOULD occur within different X509Data
elements of the same KeyInfo element?  I realize that it is too late to
impose a MUST rule on this.

          Tom Gindin



"Donald E. Eastlake 3rd" <dee3@torque.pothole.com>@w3.org on 02/13/2001
11:01:30 PM

Sent by:  w3c-ietf-xmldsig-request@w3.org


To:   "Donald E. Eastlake 3rd" <lde008@dma.isg.mot.com>,
      w3c-ietf-xmldsig@w3.org
cc:
Subject:  Re: The X509Data Element clarification...



How about

    Any X509IssuerSerial, X509SKI, and X509SubjectName elements that
    appear MUST refer to the certficiate or certificates containing
    the validation key.  All such elements that refer to a
    particular individual certificate MUST be grouped inside a
    single X509Data element and if the certificate to which they
    refer appears, it MUST also be in that X509Data element.

    Any X509IssuerSerial, X509SKI, and X509SubjectName elements that
    relate to the same key but different certificates MUST be
    grouped within a single KeyInfo but MAY occur in multiple
    X509Data elements.

    All certificates appearing in an X509Data element MUST relate to
    the validation key by either containing it or being part of a
    certification chain that termiantes in a certificate containing
    the validation key.

    No ordering is implied by the above constraints.

Donald

From:  "Joseph M. Reagle Jr." <reagle@w3.org>
Message-Id:  <4.3.2.7.2.20010213175523.02b18520@rpcp.mit.edu>
Date:  Tue, 13 Feb 2001 17:58:19 -0500
To:  "Donald E. Eastlake 3rd" <lde008@dma.isg.mot.com>
Cc:  Rich Salz <rsalz@caveosystems.com>, w3c-ietf-xmldsig@w3.org,
            lde008@dma.isg.mot.com
In-Reply-To:  <200102131551.KAA22833@noah.dma.isg.mot.com>
References:  <Your message of "Mon, 12 Feb 2001 22:24:41 EST."
<3A88A8F9.F77FA4D6@cav
eosystems.com>

>At 10:51 2/13/2001 -0500, Donald E. Eastlake 3rd wrote:
>> >> All X509IssuerSerial, X509SKI, and X509SubjectName elements must
refer
>> >> to certficiates with the validation key.  However, because you can
>> >> have multiple cetificates for the same key in the same X509Data
>> >> element, there may be multiple such elements referring to different
>> >> certificates or, of course, the same element.
>> >I assume you mean "certificate" for that last word.
>>Yes.
>> >Also, what about something like "No ordering is implied."
>>Sounds reasonable.
>
>I'm trying to integrate this paragraph:
>
>>All X509IssuerSerial, X509SKI, and X509SubjectName elements must refer to
>>certficiates containing the validation key. However, since multiple
>>cetificates for the same key are permitted in the same X509Data element,
>>there may be multiple such elements referring to different certificates
or,
>>of course, the same certificate. No ordering of these element types is
>>implied.
>
>with this paragraph:
>
>>Multiple declarations about a single certificate (e.g., a X509SubjectName
>>and X509IssuerSerial element) MUST be grouped inside a single X509Data
>>element; multiple declarations about the same key but different X509
>>certificates (related to that single key) MUST be grouped within a single
>>KeyInfo element but MAY occur in multiple X509Data elements.
>
>in a way that is comprehensible, but it's not working too well. Someone
else
>want to suggest some text?
>
>
>__
>Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
>W3C Policy Analyst                mailto:reagle@w3.org
>IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature
>W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/
>
Received on Wednesday, 14 February 2001 07:59:11 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:12 GMT