- From: Brian LaMacchia <bal@microsoft.com>
- Date: Fri, 11 Aug 2000 15:33:39 -0700
- To: "'Donald E. Eastlake 3rd'" <dee3@torque.pothole.com>
- Cc: w3c-ietf-xmldsig@w3.org
Don--
I think your DTD for the X509Data element is slightly incorrect. What you
sent around would allow zero-or-more certs or zero-or-more CRLs in a single
X509Data. What I believe was proposed in Pittsburgh was this:
<element name='X509Data'>
<complexType content='elementOnly'>
<choice minOccurs='1' maxOccurs='1'>
<sequence minOccurs='1' maxOccurs='unbounded'>
<choice minOccurs='1' maxOccurs='1'>
<element ref='ds:X509IssuerSerial'/>
<element name='X509SKI' type='ds:CryptoBinary'/>
<element name='X509SubjectName' type='string'/>
<element name='X509Certificate' type='ds:CryptoBinary'/>
</choice>
</sequence>
<element name='X509CRL' type='ds:CryptoBinary' minOccurs='1'
maxOccurs='1'/>
</choice>
</complexType>
</element>
or in DTD:
<!ELEMENT X509Data ((X509IssuerSerial | X509SKI | X509SubjectName |
X509Certificate)+ | X509CRL) >
<!ELEMENT X509IssuerSerial (X509IssuerName, X509SerialNumber) >
<!ELEMENT X509IssuerName (#PCDATA) >
<!ELEMENT X509SubjectName (#PCDATA) >
<!ELEMENT X509SerialNumber (#PCDATA) >
<!ELEMENT X509SKI (#PCDATA) >
<!ELEMENT X509Certificate (#PCDATA) >
<!ELEMENT X509CRL (#PCDATA) >
That is, a single X509Data may contain a collection of certs, SKI,
SubjectName & IssuerSerial identifiers, so long as (a) all SKI, SubjectName
& IssuerSerial references refer to the same key, and (b) at least one of the
certs has a subject public key that will verify the signature.
Alternatively, an X509Data may contain exactly one CRL (what you have below
would allow multiple CRLs within a single X509Data).
--bal
-----Original Message-----
From: Donald E. Eastlake 3rd [mailto:dee3@torque.pothole.com]
Sent: Friday, August 11, 2000 12:57 PM
To: w3c-ietf-xmldsig@w3.org
Subject: X509Data tweaks
Here is a modified version of the section on X509Data as per the
discussion in Pittsburgh:
<h3>4.4.4 The <a id="sec-X509Data"
name="sec-X509Data"><code>X509Data</code></a> Element</h3>
<p>An <code>X509Data</code> element within <code>KeyInfo</code>
contains one or more identifiers of keys or identifiers of 509
certificates or X509 certificates or X509 certificate revocation lists
that may be useful for validation. Five types of <code>X509Data</code>
are defined:
<ol>
<li>The <code>X509IssuerSerial</code> element, which contains an
X.509 issuer distinguished name/serial number pair that SHOULD be
compliant with <u>RFC2253 [<a href="#ref-LDAP-DN">LDAP-DN</a>]</u>,
</li>
<li>The <code>X509SubjectName</code> element, which contains an
X.509 subject distinguished name that SHOULD be compliant with
<u>RFC2253 [<a href="#ref-LDAP-DN">LDAP-DN</a>]</u>, </li>
<li>The <code>X509SKI</code> element, which contains an X.509 subject key
identifier value.</li>
<li>The <code>X509Certificate</code> element,
which contains a Base64-encoded X.509v3 certificate, and</li>
<li>The <code>X509CRL</code> element, which contains a
Base64-encoded X.509v2 certificate revocation list (CRL).</li>
</ol>
<p>Multiple declarations about a single certificate (e.g., a
<code>X509SubjectName</code> and <code>X509IssuerSerial</code>
element) MUST be grouped inside a single <code>X509Data</code>
element; multiple declarations about the same key but different
certificates (related to that single key) MUST be grouped within a
single <code>KeyInfo</code> element but MAY occur in multiple
<code>X509Data</code> elements. For example, the
following block contains two pointers to certificate-A (issuer/serial
number and SKI) and a single reference to certificate-B
(SubjectName):</p>
<pre class="xml-example"> <X509Data> <!-- two pointers to
certificate-A --\
>
<X509IssuerSerial>
<X509IssuerName><span
class="tx">CN=TAMURA Kent, OU=TRL, O=IBM,
L=Yamato-shi, ST=Kanagawa, C=JP</span></X509IssuerName>
<X509SerialNumber>12345678</X509SerialNumber>
</X509IssuerSerial>
<X509SKI>31d97bd7</X509SKI>
</X509Data>
<X509Data> <!-- single pointer to certificate-B -->
<X509SubjectName>Subject of <u>Certificate
B</u></X509SubjectName>
</X509Data></pre>
<p><u>Note: Direct provision is not made for a PKCS#7 encoded
"bag" of certificates or CRLs but such a set of
certificates or CRLs can occur within an X509Data element. Whenever
multiple certificates occur in an <code>X509Data</code> element, at
least one such certificate must contain the public key which verifies
the signature.</u></p>
;element name='X509IssuerName' type='string' minOccurs='1' maxOccurs='1'/\
>
<element name='X509SerialNumber' type='<u>integer</u>'
minOccurs='1' maxO\
ccurs='1'/>
</sequence>
</complexType>
</element>
</pre>
<pre class="xml-dtd">
DTD:
<u> <!ELEMENT X509Data ((X509IssuerSerial | X509SKI | X509SubjectName)+
|
X509Certificate* | X509CRL*)></u>
<!ELEMENT X509IssuerSerial (X509IssuerName, X509SerialNumber) >
<!ELEMENT X509IssuerName (#PCDATA) >
<!ELEMENT X509SubjectName (#PCDATA) >
<!ELEMENT X509SerialNumber (#PCDATA) >
<!ELEMENT X509SKI (#PCDATA) >
<!ELEMENT X509Certificate (#PCDATA) >
<!ELEMENT X509CRL (#PCDATA) >
</pre>
=====================================================================
Donald E. Eastlake 3rd dee3@torque.pothole.com
140 Forest Avenue +1 978-562-2827(h)
Hudson, MA 01749 USA +1 508-261-5434(w)
Received on Friday, 11 August 2000 18:34:18 UTC