RE: Latest XML Signature Specification from Owen Roberts on 2000-07-12 (w3c-ietf-xmldsig@w3.org from July to September 2000)

From: Owen Roberts <oroberts@baltimore.com>
Date: Wed, 12 Jul 2000 13:19:53 +0100
To: IETF/W3C XML-DSig WG <w3c-ietf-xmldsig@w3.org>
Message-ID: <3B46C515DDE2D311A70C005004AFCB70220E91@emeairl2.cdsemea.baltimore.com>

Hi all,

From the latest draft http://www.w3.org/TR/2000/WD-xmldsig-core-20000711/

<element name='X509Data'> 
           <complexType content='elementOnly'> 
             <choice minOccurs='1' maxOccurs='1'>
               <sequence minOccurs='1' maxOccurs='unbounded'> 
                 <choice minOccurs='1' maxOccurs='1'> 
                   <element ref='ds:X509IssuerSerial'/>
                   <element name='X509SKI' type='ds:CryptoBinary'/>
                   <element name='X509SubjectName' type='string'/> 
                 </choice>  
               </sequence>
               <element name='X509Certificate' type='ds:CryptoBinary'
minOccurs='1' maxOccurs='1'/> 
               <element name='X509CRL' type='ds:CryptoBinary' minOccurs='1'
maxOccurs='1'/> 
             </choice>
           </complexType>
         </element>

  DTD:
<!ELEMENT X509Data ((X509IssuerSerial | X509SKI | X509SubjectName), 
                              X509Certificate*, X509CRL*)>


I'm pretty sure this DTD fragment doesn't reflect the schema.

maybe this is closer?
<!ELEMENT X509Data ((X509IssuerSerial | X509SKI | X509SubjectName)+ | 
                              X509Certificate| X509CRL)>

Also, my suggestion is

<element name='X509Data'>
 <complexType content='elementOnly'>
  <sequence minOccurs='1' maxOccurs='1'>
   <choice minOccurs='1' maxOccurs='1'>
    <sequence minOccurs='1' maxOccurs='1'>
     <element ref='ds:X509IssuerSerial'
                                 minOccurs='0' maxOccurs='1'/>
     <element name='X509SKI' type='CryptoBinary'/
                                 minOccurs='0' maxOccurs='1'/>
     <element name='X509SubjectName' type='string'/
                                 minOccurs='0' maxOccurs='1'/>
    </sequence>
   </choice>
   <element name='X509Certificate' type='ds:CryptoBinary'
                                 minOccurs='0' maxOccurs='unbounded'/>
  
   <element name='X509CRL' type='ds:CryptoBinary' minOccurs='0'

                                 maxOccurs='unbounded'/>
  </sequence>
 </complexType>
</element>

or in DTD form

<!ELEMENT X509Data ((X509IssuerSerial | X509SKI | X509SubjectName)+ , 
                              X509Certificate*, X509CRL*)>

not sure if i've got the syntax 100% - but I hope you understand where I'm
coming from.
each X509Data should refer to the certs surrounding a single public key. As
noted in previous posts, there could be multiple cert chains from different
CAs.
I guess maybe you could restrict each X509Data to holding one certchain for
clarity, and use multiple x509datas to hold the multiple cert chains for the
same public key.


BTW - for those interested, I'm working at Baltimore in Dublin on XSecure -
currently implementing the latest spec for this product. I hope soon to be
in a position to do some interop by setting up a web page and working over
email.


Thanks,
Owen

--
Owen Roberts
Toolkits Architect
Baltimore Technologies, Dublin
oroberts@baltimore.ie
(+3531) 647 7430

Received on Wednesday, 12 July 2000 09:49:21 UTC