- From: Brian LaMacchia <bal@microsoft.com>
- Date: Tue, 11 Jul 2000 08:44:52 -0700
- To: "'Yoshiaki KAWATSURA'" <kawatura@bisd.hitachi.co.jp>, w3c-ietf-xmldsig@w3.org
> -----Original Message----- > From: Yoshiaki KAWATSURA [mailto:kawatura@bisd.hitachi.co.jp] > Sent: Monday, June 26, 2000 2:20 AM > To: w3c-ietf-xmldsig@w3.org > Cc: kawatura@bisd.hitachi.co.jp > Subject: Questions/Comments for the current draft. > > > Hello, > I have some questions/comments for the current draft. > > (1) For KeyInfo Element > A combination of Issuer Name and Certificate Serial Number is used as > the identifier for the actual public key to verify the signature in > PKCS#7. Additionally, a combination of issuer name, subject name and > subject key identifier is also used (this is described in > draft-ietf-pkix-technr-00.txt.) > > How does validation application identify "the" key information > which has been used for signature, although KeyInfo can include > many key (certificate) information? I'm not sure I understand the question here. Every sub-element within a KeyInfo structure potentially provides information concerning the key pair used to generate the signature. Depending on what sort of information is meaningful to the signature-verifying application each sub-element may or may not convey something useful. Once the correct key has been discovered & the mathematics of the signature verified, then again each sub-element may convey trust-related information to the application. Of course, the application is free to ignore this information and use its own resources to determine how much trust to put in the key pair and signature. Within X509Data, there are three primary ways to look up related certs: ds:X509IssuerSerial, X509SKI and X509SubjectName. ds:X509IssuerSerial is there mostly for legacy purposes (including PKCS#7); SKI is a much better identifier of the key material. A combination of ds:X509IssuerSerial and X509SubjectName would give you the (issuer, subject, SKI) triple that Tom uses in the technr-00 draft. This combination is explicitly allowed within a single X509Data element. --bal
Received on Tuesday, 11 July 2000 11:45:40 UTC