Hi Christian, Well, the text in Section 4.4.4 of XML-DSIG All certificates appearing in an X509Data element MUST relate to the validation key by either containing it or being part of a certification chain that terminates in a certificate containing the validation key. and the example <KeyInfo> <!-- ... --> <X509Data> <!-- certificate chain --> <!--Signer cert, issuer CN=arbolCA,OU=FVT,O=IBM,C=US, serial 4--> <X509Certificate>MIICXTCCA..</X509Certificate> <!-- Intermediate cert subject CN=arbolCA,OU=FVT,O=IBM,C=US issuer CN=tootiseCA,OU=FVT,O=Bridgepoint,C=US --> <X509Certificate>MIICPzCCA...</X509Certificate> <!-- Root cert subject CN=tootiseCA,OU=FVT,O=Bridgepoint,C=US --> <X509Certificate>MIICSTCCA...</X509Certificate> </X509Data> </KeyInfo> seem to suggest the first structure. Ari >Hi all, > >how do I represent a chain of certificates? If I have 3 certificates, > > ><ds:X509Data> ><ds:X509Certificate>base64ofcert1</ds:X509Certificate> ><ds:X509Certificate>base64ofcert2</ds:X509Certificate> ><ds:X509Certificate>base64ofcert3</ds:X509Certificate> ></ds:X509Data> > > >or (which would make more sense to me): > ><ds:X509Data> ><ds:X509Certificate>base64ofcert1</ds:X509Certificate> ></ds:X509Data> ><ds:X509Data> ><ds:X509Certificate>base64ofcert2</ds:X509Certificate> ></ds:X509Data> ><ds:X509Data> ><ds:X509Certificate>base64ofcert3</ds:X509Certificate> ></ds:X509Data> > > > >Regards, >Christian >Received on Tuesday, 22 January 2002 14:55:03 GMT
This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:14 GMT