W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > January to March 2002

ordering of multiple X509Certificates

From: Joel Hockey <joel.hockey@qsipayments.com>
Date: Fri, 8 Mar 2002 10:57:36 +1000
Message-ID: <CF2BC135FB37D51197D400508BAF5217010724C4@aubnmsx01.qsi.com.au>
To: w3c-ietf-xmldsig@w3.org
Hi,

I have a query about the case where multiple X509Certificate elements are
sent with a signature.  I couldn't find any information in the spec
concerning the order that they should be sent in, and I couldn't find any
mention of this in the mailing list archive.  I imagine this is intentional
left out of the spec as it does not require any KeyInfo and leaves all this
up to the application level.

I would expect that when multiple certificates are sent, they should be sent
as a chain (same as how an ssl server must send certifictes - rfc 2246),
with the sender's cert coming first and each following cert directly
certifying the one before it.

Does the spec actually mention anything about this, or does anyone else have
any thoughts?

Thanks,

Joel
Received on Thursday, 7 March 2002 19:54:50 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:14 GMT