W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > January to March 2002

Re: How do I represent a Certificate Chain

From: Ari Kermaier <arik@phaos.com>
Date: Tue, 22 Jan 2002 14:55:00 -0500
Message-Id: <5.1.0.14.2.20020122145054.02500020@verio.phaos.com>
To: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>, w3c-ietf-xmldsig@w3.org
Hi Christian,

Well, the text in Section 4.4.4 of XML-DSIG

    All certificates appearing in an X509Data element MUST relate to the
    validation key by either containing it or being part of a
    certification chain that terminates in a certificate containing the
    validation key.

and the example

      <KeyInfo>
        <!-- ... -->
        <X509Data> <!-- certificate chain -->
          <!--Signer cert, issuer CN=arbolCA,OU=FVT,O=IBM,C=US, serial 4-->
          <X509Certificate>MIICXTCCA..</X509Certificate>
          <!-- Intermediate cert subject CN=arbolCA,OU=FVT,O=IBM,C=US
               issuer CN=tootiseCA,OU=FVT,O=Bridgepoint,C=US -->
          <X509Certificate>MIICPzCCA...</X509Certificate>
          <!-- Root cert subject CN=tootiseCA,OU=FVT,O=Bridgepoint,C=US -->
          <X509Certificate>MIICSTCCA...</X509Certificate>
        </X509Data>
      </KeyInfo>

seem to suggest the first structure.

Ari

>Hi all,
>
>how do I represent a chain of certificates? If I have 3 certificates,
>
>
><ds:X509Data>
><ds:X509Certificate>base64ofcert1</ds:X509Certificate>
><ds:X509Certificate>base64ofcert2</ds:X509Certificate>
><ds:X509Certificate>base64ofcert3</ds:X509Certificate>
></ds:X509Data>
>
>
>or (which would make more sense to me):
>
><ds:X509Data>
><ds:X509Certificate>base64ofcert1</ds:X509Certificate>
></ds:X509Data>
><ds:X509Data>
><ds:X509Certificate>base64ofcert2</ds:X509Certificate>
></ds:X509Data>
><ds:X509Data>
><ds:X509Certificate>base64ofcert3</ds:X509Certificate>
></ds:X509Data>
>
>
>
>Regards,
>Christian
>
Received on Tuesday, 22 January 2002 14:55:03 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:14 GMT