- From: Scott Cantor <cantor.2@osu.edu>
- Date: Tue, 21 Sep 2010 11:25:44 -0400
- To: <public-xmlsec@w3.org>
Here's the relevant text today on X509Data usage (without having been modified to add the X509Digest option): "Any X509IssuerSerial, X509SKI, and X509SubjectName elements that appear MUST refer to the certificate or certificates containing the validation key. All such elements that refer to a particular individual certificate MUST be grouped inside a single X509Data element and if the certificate to which they refer appears, it MUST also be in that X509Data element. Any X509IssuerSerial, X509SKI, and X509SubjectName elements that relate to the same key but different certificates MUST be grouped within a single KeyInfo but MAY occur in multiple X509Data elements." So the case of two different certs (two X509Datas), or two hashes over the same cert (one X509Data, multiple X509Digests), are reflected, and the unit of reuse should be KeyInfo (or perhaps X509Data, but that's not common). I think Brian's point warrants some additional text, so I will resend my proposal with the algorithm changes and some text on this. -- Scott
Received on Tuesday, 21 September 2010 15:26:18 UTC