RE: AW: Errors and Questions from Kevin Regan on 2000-07-28 (w3c-ietf-xmldsig@w3.org from July to September 2000)

From: Kevin Regan <kevinr@valicert.com>
Date: Fri, 28 Jul 2000 12:14:53 -0700
To: tgindin@us.ibm.com, Gregor Karlinger <gregor.karlinger@iaik.at>
Cc: Barb Fox <bfox@Exchange.Microsoft.com>, "Joseph M. Reagle Jr." <reagle@w3.org>, XML <w3c-ietf-xmldsig@w3.org>, Brian LaMacchia <bal@microsoft.com>
Message-id: <27FF4FAEA8CDD211B97E00902745CBE2017C9116@seine.valicert.com>

Having a single certificate chain, starting at the EE would be
very useful.  However, for my product, I keep the Certificate
information outside of the actual Signature subtree.  I do
this because I may have multiple signatures for a document,
with each signature using a different private key, but the certificates
for these keys all inherent from the same root CA chain.

Therefore, I simply drop a
<X509Data><X509IsserSerial>...</X509IsserSerial></X509Data>
in the <KeyInfo> node and include certificate chains in a seperate
portion
of the XML document.  This way, if I have signatures that share parent
CA
certificates, the information is not duplicated.

--Kevin

-----Original Message-----
From: tgindin@us.ibm.com [mailto:tgindin@us.ibm.com]
Sent: Friday, July 28, 2000 11:55 AM
To: Gregor Karlinger
Cc: Barb Fox; Joseph M. Reagle Jr.; XML; Brian LaMacchia
Subject: Re: AW: Errors and Questions


     I agree with you.  I don't see why we should shift from having lots
of
certificates allowed, with no guaranteed relationship between them, to
having only the EE certificate allowed and not allowing chains.  It
makes
more sense, IMO, to set requirements on which certificates are allowed
along the lines of some earlier suggestions - for example, allowing only
one EE certificate and requiring that all other certificates be part of
a
certification chain for that one.  We could even require that there be
only
one chain and that the certificates appear in leaf-first order - it
would
still be better than just a leaf and it would not be very hard to
implement.

          Tom Gindin

"Gregor Karlinger" <gregor.karlinger@iaik.at>@w3.org on 07/27/2000
03:54:06
AM

Sent by:  w3c-ietf-xmldsig-request@w3.org


To:   "Gregor Karlinger" <gregor.karlinger@iaik.at>, "Barb Fox"
      <bfox@Exchange.Microsoft.com>, "Joseph M. Reagle Jr."
<reagle@w3.org>
cc:   "XML" <w3c-ietf-xmldsig@w3.org>, "Brian LaMacchia"
      <bal@microsoft.com>
Subject:  AW: Errors and Questions




Sorry, I hit the  wrong key on my keyboard, and the message was gone ...

Hi Barb,



 > [GK20]Only a single certificate possible  here?  [Barb]  Yes. One per
clause.


Please see my comment on [GK20] in my  previous message:

http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000JulSep/0176.htm
l

Regards,  Gregor
---------------------------------------------------------------
Gregor  Karlinger
mailto://gregor.karlinger@iaik.at
http://www.iaik.at
Phone +43 316  873 5541
Institute for Applied Information Processing and  Communications
Austria
---------------------------------------------------------------

Received on Friday, 28 July 2000 15:23:54 UTC