Questions/Comments for the current draft. from Yoshiaki KAWATSURA on 2000-06-26 (w3c-ietf-xmldsig@w3.org from April to June 2000)

From: Yoshiaki KAWATSURA <kawatura@bisd.hitachi.co.jp>
Date: Mon, 26 Jun 2000 15:19:42 +0900 (JST)
To: w3c-ietf-xmldsig@w3.org
Cc: kawatura@bisd.hitachi.co.jp
Message-Id: <20000626151942Z.kawatura@bisd.hitachi.co.jp>

Hello,
I have some questions/comments for the current draft.

(1) For KeyInfo Element
A combination of Issuer Name and Certificate Serial Number is used as
the identifier for the actual public key to verify the signature in
PKCS#7.  Additionally, a combination of issuer name, subject name and
subject key identifier is also used (this is described in
draft-ietf-pkix-technr-00.txt.)

How does validation application identify "the" key information
which has been used for signature, although KeyInfo can include
many key (certificate) information?

(2-1) For X509Data
I think the X509IssuerName in the example of X509Data should be
described actual value such that distinguished name, for example 
<X509IssuerName>CN =XXX Cert, C= US, O = XXX Trust Inc.</X509IssuerName>.
# Is there any general guideline which describes about text representation
# of distinguished name? I found <draft-ietf-pkix-generalname-00.txt>
# which specifies text representations for distinguished names 
# but this document has already expired. 

(2-2) The structure of X509Data element
I think that the combination of X509IssuerSerial,X509SKI and/or 
X509SubjectName should be used as the identifier for the certificate
if it has been already stored in the verifier's local storage.

Additionally, X509CRL may be separated or may be included with
certificate (or certificate identifiers) in X509Data if multiple
certificates is allowed by using multiple X509Data because X509CRL is
independent. Therefore I suggest the following structure of X509Data:

<element name='X509Data'>
 <complexType content='elementOnly'>
  <sequence minOccurs='1' maxOccurs='1'>
   <choice minOccurs='1' maxOccurs='1'>
    <sequence minOccurs='1' maxOccurs='1'>
     <element ref='ds:X509IssuerSerial'
                                 minOccurs='0' maxOccurs='1'/>
     <element name='X509SKI' type='CryptoBinary'/
                                 minOccurs='0' maxOccurs='1'/>
     <element name='X509SubjectName' type='string'/
                                 minOccurs='0' maxOccurs='1'/>
    </sequence>
   <element name='X509Certificate' type='ds:CryptoBinary'
                                 minOccurs='1' maxOccurs='1'/>
   </choice>
  <element name='X509CRL' type='ds:CryptoBinary' minOccurs='1'
                                 maxOccurs='1'/>
  </sequence>
 </complexType>
</element>

Thanks,
----
Yoshiaki Kawatsura : E-mail kawatura@bisd.hitachi.co.jp
 Business Solution Systems Development Division, Hitachi,Ltd.
Voice: +81-44-549-1713(direct) Fax: +81-44-549-1721

Received on Monday, 26 June 2000 02:20:48 UTC