Re: Array of Certificates from Tom Gindin on 2002-07-08 (w3c-ietf-xmldsig@w3.org from July to September 2002)

From: Tom Gindin <tgindin@us.ibm.com>
Date: Mon, 8 Jul 2002 12:48:59 -0400
To: asadkhan@cmcltd.com
Cc: <w3c-ietf-xmldsig@w3.org>
Message-ID: <OFDC6F3FBD.5FDD52B5-ON85256BF0.005B89ED@pok.ibm.com>

      There were two threads on this general subject in the first quarter
of this year: one starting with
http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2002JanMar/0056.html
and one starting with
http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2002JanMar/0191.html.
The later of these threads is more relevant.  However, assuming that the
certificates form a single chain in the most convenient order is very
dangerous during verification, and you should construct the chain as
indicated in my posting during the March thread
(http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2002JanMar/0194.html).

 One of our other contributors pointed out off-list that the sorting
requirement I cited in that posting applies to RFC 2315 but not to RFC 2630
because that uses BER, so some more recent implementations wouldn't use it.
However, you can't assume a natural ordering.

            Tom Gindin


"Asad" <asadkhan@cmcltd.com> (by way of Joseph Reagle <reagle@w3.org>)
@w3.org on 07/08/2002 09:15:00 AM

Please respond to reagle@w3.org

Sent by:    w3c-ietf-xmldsig-request@w3.org


To:    <w3c-ietf-xmldsig@w3.org>
cc:
Subject:    Array of Certificates


Hi all,
    I want to place more than one certificate in the X509Data
 element(Signer Certificate and its corresponding chain of certificates).
Is it mandatory to place all the certificates in order, ie signer
 certificate first and followed by its CA and so on, or can I place the
 certificates in any order.

and also I want to know ,while signature verification, If I receive a chain
 of certificates, should I take the certificate placed first as the signer
 certificate, or should I do any checking using the
 X509IssuerSerial/X509SKI element to determine where the signer certificate
 is.
Thanks in advance
regards
Asad



Hi all,
    I want to place more than one certificate in the X509Data
element(Signer Certificate and its corresponding chain of certificates).

Is it mandatory to place all the certificates in order, ie signer
certificate first and followed by its CA and so on,
or can I place the certificates in any order.

and also I want to know ,while signature verification, If I receive a chain
of certificates,
should I take the certificate placed first as the signer certificate, or
should I do any
checking using the X509IssuerSerial/X509SKI element to determine where the
signer certificate is.

Thanks in advance
regards
Asad

Received on Monday, 8 July 2002 12:49:29 UTC