- From: Rich Salz <rsalz@datapower.com>
- Date: Mon, 03 Feb 2003 14:49:36 -0500
- To: Joseph Swaminathan <jswamina@cisco.com>
- CC: w3c-ietf-xmldsig@w3.org
> 1. When X509 certificate element is present, is there any need > for X509IssuerSerial, X509SubjectName, X509SKI, elements. Is > it possible for all of these to be present. If so, what is > the significance of the later three, as the first one contains > all of them. Many implementations actually provide more than one of the differnet forms in the same signature. Yes, the certificate includes all the other data, but it requires a fairly heavy-duty ASN1/DER parser. Breaking out the alternate "lookup keys" is just "friendly," as it were. > 2. Also, how is a certificate validated. Is it by That's a local trust issue, and depends on your implementation and business requirements. A common 80/20 technique is to verify that the certificate *or it's issuer* came from a locally-configured trusted list. /r$
Received on Monday, 3 February 2003 14:49:39 UTC