W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > January to March 2003

X509 data element

From: Joseph Swaminathan <jswamina@cisco.com>
Date: Mon, 03 Feb 2003 11:28:54 -0800
Message-ID: <3E3EC2F6.BC5A1973@cisco.com>
To: w3c-ietf-xmldsig@w3.org


  While looking at X509 data element, ($4.4.4 of RFC 3275)
I have the few questions.

  The specification says,

  "1. At least one element, from the following set of element types; any
      of these may appear together or more than once if (if and only if)
      each instance describes or is related to the same certificate:
   2.
      o  The X509IssuerSerial element, which contains an X.509 issuer
         distinguished name/serial number pair that SHOULD be compliant
         with RFC 2253 [LDAP-DN],
      o  The X509SubjectName element, which contains an X.509 subject
         distinguished name that SHOULD be compliant with RFC 2253
         [LDAP-DN],
      o  The X509SKI element, which contains the base64 encoded plain
         (i.e., non-DER-encoded) value of a X509 V.3
         SubjectKeyIdentifier extension.
      o  The X509Certificate element, which contains a base64-encoded
         [X509v3] certificate, and
      o  Elements from an external namespace which
         accompanies/complements any of the elements above.
      o  The X509CRL element, which contains a base64-encoded
         certificate revocation list (CRL) [X509v3]."

   1. When X509 certificate element is present, is there any need
      for X509IssuerSerial, X509SubjectName, X509SKI, elements. Is 
      it possible for all of these to be present. If so, what is 
      the significance of the later three, as the first one contains 
      all of them.

   2. Also, how is a certificate validated. Is it by 

      a) comparing byte to byte with a list of acceptable
         certificates in the database. If so, then it makes
         sense to have 509 certificate as well as IssuerSerial,
         SKI etc. Because without a ASN.1 parser, certificates
         can be validated. 
      b) getting the public key of the issuer, and verifying the 
         signature value, in the certificate.

thanks
Joseph
Received on Monday, 3 February 2003 14:29:26 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:16 GMT