- From: Kevin Regan <kevinr@valicert.com>
- Date: Fri, 11 Aug 2000 16:38:58 -0700
- To: tgindin@us.ibm.com, Brian LaMacchia <bal@microsoft.com>
- Cc: "'Donald E. Eastlake 3rd'" <dee3@torque.pothole.com>, w3c-ietf-xmldsig@w3.org
- Message-ID: <27FF4FAEA8CDD211B97E00902745CBE201AB41EC@seine.valicert.com>
Yes, my understand was a separate X509Data for each X509Certificate (and only one X509Certificate per X509Data). <!ELEMENT X509Data ((X509IssuerSerial | X509SKI | X509SubjectName)+ | X509Certificate | X509CRL) > --Kevin -----Original Message----- From: tgindin@us.ibm.com [mailto:tgindin@us.ibm.com] Sent: Friday, August 11, 2000 4:36 PM To: Brian LaMacchia Cc: 'Donald E. Eastlake 3rd'; w3c-ietf-xmldsig@w3.org Subject: RE: X509Data tweaks Wouldn't the example of multiple X509Data's in a single KeyInfo make more sense if the certificates formed a chain? There is an example, which I hope is fairly understandable, in my earlier posting http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000JulSep/0198.htm l. That example has X509Data's for three separate certificates, the first of which is an end-user certificate which was the signer of the actual document, the second of which is a CA certificate which is the issuer of the first certificate, and the third of which is a root CA which was the issuer of the second certificate. Tom Gindin Brian LaMacchia <bal@microsoft.com>@w3.org on 08/11/2000 06:33:39 PM Sent by: w3c-ietf-xmldsig-request@w3.org To: "'Donald E. Eastlake 3rd'" <dee3@torque.pothole.com> cc: w3c-ietf-xmldsig@w3.org Subject: RE: X509Data tweaks Don-- I think your DTD for the X509Data element is slightly incorrect. What you sent around would allow zero-or-more certs or zero-or-more CRLs in a single X509Data. What I believe was proposed in Pittsburgh was this: <element name='X509Data'> <complexType content='elementOnly'> <choice minOccurs='1' maxOccurs='1'> <sequence minOccurs='1' maxOccurs='unbounded'> <choice minOccurs='1' maxOccurs='1'> <element ref='ds:X509IssuerSerial'/> <element name='X509SKI' type='ds:CryptoBinary'/> <element name='X509SubjectName' type='string'/> <element name='X509Certificate' type='ds:CryptoBinary'/> </choice> </sequence> <element name='X509CRL' type='ds:CryptoBinary' minOccurs='1' maxOccurs='1'/> </choice> </complexType> </element> or in DTD: <!ELEMENT X509Data ((X509IssuerSerial | X509SKI | X509SubjectName | X509Certificate)+ | X509CRL) > <!ELEMENT X509IssuerSerial (X509IssuerName, X509SerialNumber) > <!ELEMENT X509IssuerName (#PCDATA) > <!ELEMENT X509SubjectName (#PCDATA) > <!ELEMENT X509SerialNumber (#PCDATA) > <!ELEMENT X509SKI (#PCDATA) > <!ELEMENT X509Certificate (#PCDATA) > <!ELEMENT X509CRL (#PCDATA) > That is, a single X509Data may contain a collection of certs, SKI, SubjectName & IssuerSerial identifiers, so long as (a) all SKI, SubjectName & IssuerSerial references refer to the same key, and (b) at least one of the certs has a subject public key that will verify the signature. Alternatively, an X509Data may contain exactly one CRL (what you have below would allow multiple CRLs within a single X509Data). --bal -----Original Message----- From: Donald E. Eastlake 3rd [mailto:dee3@torque.pothole.com] Sent: Friday, August 11, 2000 12:57 PM To: w3c-ietf-xmldsig@w3.org Subject: X509Data tweaks Here is a modified version of the section on X509Data as per the discussion in Pittsburgh: <h3>4.4.4 The <a id="sec-X509Data" name="sec-X509Data"><code>X509Data</code></a> Element</h3> <p>An <code>X509Data</code> element within <code>KeyInfo</code> contains one or more identifiers of keys or identifiers of 509 certificates or X509 certificates or X509 certificate revocation lists that may be useful for validation. Five types of <code>X509Data</code> are defined: <ol> <li>The <code>X509IssuerSerial</code> element, which contains an X.509 issuer distinguished name/serial number pair that SHOULD be compliant with <u>RFC2253 [<a href="#ref-LDAP-DN">LDAP-DN</a>]</u>, </li> <li>The <code>X509SubjectName</code> element, which contains an X.509 subject distinguished name that SHOULD be compliant with <u>RFC2253 [<a href="#ref-LDAP-DN">LDAP-DN</a>]</u>, </li> <li>The <code>X509SKI</code> element, which contains an X.509 subject key identifier value.</li> <li>The <code>X509Certificate</code> element, which contains a Base64-encoded X.509v3 certificate, and</li> <li>The <code>X509CRL</code> element, which contains a Base64-encoded X.509v2 certificate revocation list (CRL).</li> </ol> <p>Multiple declarations about a single certificate (e.g., a <code>X509SubjectName</code> and <code>X509IssuerSerial</code> element) MUST be grouped inside a single <code>X509Data</code> element; multiple declarations about the same key but different certificates (related to that single key) MUST be grouped within a single <code>KeyInfo</code> element but MAY occur in multiple <code>X509Data</code> elements. For example, the following block contains two pointers to certificate-A (issuer/serial number and SKI) and a single reference to certificate-B (SubjectName):</p> <pre class="xml-example"> <X509Data> <!-- two pointers to certificate-A --\ > <X509IssuerSerial> <X509IssuerName><span class="tx">CN=TAMURA Kent, OU=TRL, O=IBM, L=Yamato-shi, ST=Kanagawa, C=JP</span></X509IssuerName> <X509SerialNumber>12345678</X509SerialNumber> </X509IssuerSerial> <X509SKI>31d97bd7</X509SKI> </X509Data> <X509Data> <!-- single pointer to certificate-B --> <X509SubjectName>Subject of <u>Certificate B</u></X509SubjectName> </X509Data></pre> <p><u>Note: Direct provision is not made for a PKCS#7 encoded "bag" of certificates or CRLs but such a set of certificates or CRLs can occur within an X509Data element. Whenever multiple certificates occur in an <code>X509Data</code> element, at least one such certificate must contain the public key which verifies the signature.</u></p> ;element name='X509IssuerName' type='string' minOccurs='1' maxOccurs='1'/\ > <element name='X509SerialNumber' type='<u>integer</u>' minOccurs='1' maxO\ ccurs='1'/> </sequence> </complexType> </element> </pre> <pre class="xml-dtd"> DTD: <u> <!ELEMENT X509Data ((X509IssuerSerial | X509SKI | X509SubjectName)+ | X509Certificate* | X509CRL*)></u> <!ELEMENT X509IssuerSerial (X509IssuerName, X509SerialNumber) > <!ELEMENT X509IssuerName (#PCDATA) > <!ELEMENT X509SubjectName (#PCDATA) > <!ELEMENT X509SerialNumber (#PCDATA) > <!ELEMENT X509SKI (#PCDATA) > <!ELEMENT X509Certificate (#PCDATA) > <!ELEMENT X509CRL (#PCDATA) > </pre> ===================================================================== Donald E. Eastlake 3rd dee3@torque.pothole.com 140 Forest Avenue +1 978-562-2827(h) Hudson, MA 01749 USA +1 508-261-5434(w)
Received on Friday, 11 August 2000 19:48:41 UTC