W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > January to March 2003

Re: X509 data element

From: Rich Salz <rsalz@datapower.com>
Date: Mon, 03 Feb 2003 14:49:36 -0500
Message-ID: <3E3EC7D0.7010604@datapower.com>
To: Joseph Swaminathan <jswamina@cisco.com>
CC: w3c-ietf-xmldsig@w3.org

>    1. When X509 certificate element is present, is there any need
>       for X509IssuerSerial, X509SubjectName, X509SKI, elements. Is 
>       it possible for all of these to be present. If so, what is 
>       the significance of the later three, as the first one contains 
>       all of them.

Many implementations actually provide more than one of the differnet 
forms in the same signature.  Yes, the certificate includes all the 
other data, but it requires a fairly heavy-duty ASN1/DER parser. 
Breaking out the alternate "lookup keys" is just "friendly," as it were.

>    2. Also, how is a certificate validated. Is it by 

That's a local trust issue, and depends on your implementation and 
business requirements.  A common 80/20 technique is to verify that the 
certificate *or it's issuer* came from a locally-configured trusted list.

	/r$
Received on Monday, 3 February 2003 14:49:39 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:16 GMT