- From: Barb Fox <bfox@Exchange.Microsoft.com>
- Date: Wed, 12 Jul 2000 16:03:21 -0700
- To: "Kevin Regan" <kevinr@valicert.com>, <w3c-ietf-xmldsig@w3.org>
- Message-ID: <96BABA22ECEAEA45B53D08D63E1B567826F1C4@DF-SPIKE.platinum.corp.microsoft.com>
Kevin: KeyInfo is intended to be about the single key that matters to a verifier: the public verification key. It is simply hints to a verifier about the public key associated with a specific signature that he can feed into his acceptance policy. The important point here tho is that X.509 certificates are only one form of evidence that can be sent to a verifier by a signer. A signer may also choose to send verifier(s) lots of KeyInfo types (PGP, SPKI, X.509) on the same key. In your example, he may want to send a bunch of X.509 certs (about the same key) from lots of different CA's. We were careful not to drag any trust model assumptions into this standard. Bottom line: a single KeyInfo should refer to the same key. I'm still not convinced that we need to change any wording. --Barb -----Original Message----- From: Kevin Regan [mailto:kevinr@valicert.com] Sent: Wednesday, July 12, 2000 3:24 PM To: Barb Fox; Kevin Regan; w3c-ietf-xmldsig@w3.org Subject: RE: XML Signature Section 4.4 (KeyInfo) I guess my confusion comes from the phrase "refer to the same key." This wording seems (to me anyway) to suggest that each item in KeyInfo is a different representation for a single key. Certificates in a certificate chain each "refer" to (or contain) a different key, but are used to validate a specific key. Maybe the wording can be changed to be more clear... --Kevin -----Original Message----- From: Barb Fox [mailto:bfox@Exchange.Microsoft.com] Sent: Wednesday, July 12, 2000 3:17 PM To: Kevin Regan; w3c-ietf-xmldsig@w3.org Subject: RE: XML Signature Section 4.4 (KeyInfo) Kevin: I hope you are planning to come to the IETF where many of your questions and a validation of your implementation assumptions with other developers can get resolved. Yes, it's true: "multiple declarations within KeyIfo can refer to the same key." A certificate (and its parentage -- aka a chain) could be attached by a signer as a hint to a verifier in making his making a trust decision about the public signing key. That's the whole purpose of KeyInfo. However, there is no reason that evidence in different forms about the same key can be invalid. Having a public key certified by a CA does not in any way imply that it's unique to that CA/certification process. --Barb -----Original Message----- From: Kevin Regan [ mailto:kevinr@valicert.com <mailto:kevinr@valicert.com> ] Sent: Wednesday, July 12, 2000 1:38 PM To: w3c-ietf-xmldsig@w3.org Subject: XML Signature Section 4.4 (KeyInfo) This section says: "Multiple declarations within KeyInfo refer to the same key." Is this true? I don't think it is if we assume that certificate chains might be included (as per previous discussions). --Kevin Regan
Received on Wednesday, 12 July 2000 19:09:38 UTC