RE: AW: Errors and Questions

Having a single certificate chain, starting at the EE would be
very useful.  However, for my product, I keep the Certificate
information outside of the actual Signature subtree.  I do
this because I may have multiple signatures for a document,
with each signature using a different private key, but the certificates
for these keys all inherent from the same root CA chain.

Therefore, I simply drop a
in the <KeyInfo> node and include certificate chains in a seperate
of the XML document.  This way, if I have signatures that share parent
certificates, the information is not duplicated.


-----Original Message-----
From: []
Sent: Friday, July 28, 2000 11:55 AM
To: Gregor Karlinger
Cc: Barb Fox; Joseph M. Reagle Jr.; XML; Brian LaMacchia
Subject: Re: AW: Errors and Questions

     I agree with you.  I don't see why we should shift from having lots
certificates allowed, with no guaranteed relationship between them, to
having only the EE certificate allowed and not allowing chains.  It
more sense, IMO, to set requirements on which certificates are allowed
along the lines of some earlier suggestions - for example, allowing only
one EE certificate and requiring that all other certificates be part of
certification chain for that one.  We could even require that there be
one chain and that the certificates appear in leaf-first order - it
still be better than just a leaf and it would not be very hard to

          Tom Gindin

"Gregor Karlinger" <> on 07/27/2000

Sent by:

To:   "Gregor Karlinger" <>, "Barb Fox"
      <>, "Joseph M. Reagle Jr."
cc:   "XML" <>, "Brian LaMacchia"
Subject:  AW: Errors and Questions

Sorry, I hit the  wrong key on my keyboard, and the message was gone ...

Hi Barb,

 > [GK20]Only a single certificate possible  here?  [Barb]  Yes. One per

Please see my comment on [GK20] in my  previous message:

Regards,  Gregor
Gregor  Karlinger
Phone +43 316  873 5541
Institute for Applied Information Processing and  Communications

Received on Friday, 28 July 2000 15:23:54 UTC