- From: Brian LaMacchia <bal@microsoft.com>
- Date: Fri, 11 Aug 2000 17:24:11 -0700
- To: "'Kevin Regan'" <kevinr@valicert.com>, tgindin@us.ibm.com
- Cc: "'Donald E. Eastlake 3rd'" <dee3@torque.pothole.com>, w3c-ietf-xmldsig@w3.org
Yes, that is the way it was before Pittsburgh. The compromise/refinement
outlined below was presented at the meeting in an attempt to reach closure
on this issue. Folks in Pittsburgh seemed to view this modification
favorably and recommended bringing it to the list for full WG discussion.
--bal
-----Original Message-----
From: Kevin Regan [mailto:kevinr@valicert.com]
Sent: Friday, August 11, 2000 4:39 PM
To: tgindin@us.ibm.com; Brian LaMacchia
Cc: 'Donald E. Eastlake 3rd'; w3c-ietf-xmldsig@w3.org
Subject: RE: X509Data tweaks
Yes, my understand was a separate X509Data for each X509Certificate (and
only
one X509Certificate per X509Data).
<!ELEMENT X509Data ((X509IssuerSerial | X509SKI | X509SubjectName)+ |
X509Certificate | X509CRL) >
--Kevin
-----Original Message-----
From: tgindin@us.ibm.com [mailto:tgindin@us.ibm.com]
Sent: Friday, August 11, 2000 4:36 PM
To: Brian LaMacchia
Cc: 'Donald E. Eastlake 3rd'; w3c-ietf-xmldsig@w3.org
Subject: RE: X509Data tweaks
Wouldn't the example of multiple X509Data's in a single KeyInfo
make
more sense if the certificates formed a chain? There is an example,
which
I hope is fairly understandable, in my earlier posting
http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000JulSep/0198.htm
l.
That example has X509Data's for three separate certificates, the first
of
which is an end-user certificate which was the signer of the actual
document, the second of which is a CA certificate which is the issuer of
the first certificate, and the third of which is a root CA which was the
issuer of the second certificate.
Tom Gindin
Brian LaMacchia <bal@microsoft.com>@w3.org on 08/11/2000 06:33:39 PM
Sent by: w3c-ietf-xmldsig-request@w3.org
To: "'Donald E. Eastlake 3rd'" <dee3@torque.pothole.com>
cc: w3c-ietf-xmldsig@w3.org
Subject: RE: X509Data tweaks
Don--
I think your DTD for the X509Data element is slightly incorrect. What
you
sent around would allow zero-or-more certs or zero-or-more CRLs in a
single
X509Data. What I believe was proposed in Pittsburgh was this:
<element name='X509Data'>
<complexType content='elementOnly'>
<choice minOccurs='1' maxOccurs='1'>
<sequence minOccurs='1' maxOccurs='unbounded'>
<choice minOccurs='1' maxOccurs='1'>
<element ref='ds:X509IssuerSerial'/>
<element name='X509SKI' type='ds:CryptoBinary'/>
<element name='X509SubjectName' type='string'/>
<element name='X509Certificate' type='ds:CryptoBinary'/>
</choice>
</sequence>
<element name='X509CRL' type='ds:CryptoBinary' minOccurs='1'
maxOccurs='1'/>
</choice>
</complexType>
</element>
or in DTD:
<!ELEMENT X509Data ((X509IssuerSerial | X509SKI | X509SubjectName |
X509Certificate)+ | X509CRL) >
<!ELEMENT X509IssuerSerial (X509IssuerName, X509SerialNumber) >
<!ELEMENT X509IssuerName (#PCDATA) >
<!ELEMENT X509SubjectName (#PCDATA) >
<!ELEMENT X509SerialNumber (#PCDATA) >
<!ELEMENT X509SKI (#PCDATA) >
<!ELEMENT X509Certificate (#PCDATA) >
<!ELEMENT X509CRL (#PCDATA) >
That is, a single X509Data may contain a collection of certs, SKI,
SubjectName & IssuerSerial identifiers, so long as (a) all SKI,
SubjectName
& IssuerSerial references refer to the same key, and (b) at least one of
the
certs has a subject public key that will verify the signature.
Alternatively, an X509Data may contain exactly one CRL (what you have
below
would allow multiple CRLs within a single X509Data).
--bal
-----Original Message-----
From: Donald E. Eastlake 3rd [mailto:dee3@torque.pothole.com]
Sent: Friday, August 11, 2000 12:57 PM
To: w3c-ietf-xmldsig@w3.org
Subject: X509Data tweaks
Here is a modified version of the section on X509Data as per the
discussion in Pittsburgh:
<h3>4.4.4 The <a id="sec-X509Data"
name="sec-X509Data"><code>X509Data</code></a> Element</h3>
<p>An <code>X509Data</code> element within <code>KeyInfo</code>
contains one or more identifiers of keys or identifiers of 509
certificates or X509 certificates or X509 certificate revocation lists
that may be useful for validation. Five types of <code>X509Data</code>
are defined:
<ol>
<li>The <code>X509IssuerSerial</code> element, which contains an
X.509 issuer distinguished name/serial number pair that SHOULD be
compliant with <u>RFC2253 [<a href="#ref-LDAP-DN">LDAP-DN</a>]</u>,
</li>
<li>The <code>X509SubjectName</code> element, which contains an
X.509 subject distinguished name that SHOULD be compliant with
<u>RFC2253 [<a href="#ref-LDAP-DN">LDAP-DN</a>]</u>, </li>
<li>The <code>X509SKI</code> element, which contains an X.509 subject
key
identifier value.</li>
<li>The <code>X509Certificate</code> element,
which contains a Base64-encoded X.509v3 certificate, and</li>
<li>The <code>X509CRL</code> element, which contains a
Base64-encoded X.509v2 certificate revocation list (CRL).</li>
</ol>
<p>Multiple declarations about a single certificate (e.g., a
<code>X509SubjectName</code> and <code>X509IssuerSerial</code>
element) MUST be grouped inside a single <code>X509Data</code>
element; multiple declarations about the same key but different
certificates (related to that single key) MUST be grouped within a
single <code>KeyInfo</code> element but MAY occur in multiple
<code>X509Data</code> elements. For example, the
following block contains two pointers to certificate-A (issuer/serial
number and SKI) and a single reference to certificate-B
(SubjectName):</p>
<pre class="xml-example"> <X509Data> <!-- two pointers to
certificate-A --\
>
<X509IssuerSerial>
<X509IssuerName><span
class="tx">CN=TAMURA Kent, OU=TRL, O=IBM,
L=Yamato-shi, ST=Kanagawa, C=JP</span></X509IssuerName>
<X509SerialNumber>12345678</X509SerialNumber>
</X509IssuerSerial>
<X509SKI>31d97bd7</X509SKI>
</X509Data>
<X509Data> <!-- single pointer to certificate-B -->
<X509SubjectName>Subject of <u>Certificate
B</u></X509SubjectName>
</X509Data></pre>
<p><u>Note: Direct provision is not made for a PKCS#7 encoded
"bag" of certificates or CRLs but such a set of
certificates or CRLs can occur within an X509Data element. Whenever
multiple certificates occur in an <code>X509Data</code> element, at
least one such certificate must contain the public key which verifies
the signature.</u></p>
;element name='X509IssuerName' type='string' minOccurs='1'
maxOccurs='1'/\
>
<element name='X509SerialNumber' type='<u>integer</u>'
minOccurs='1' maxO\
ccurs='1'/>
</sequence>
</complexType>
</element>
</pre>
<pre class="xml-dtd">
DTD:
<u> <!ELEMENT X509Data ((X509IssuerSerial | X509SKI |
X509SubjectName)+
|
X509Certificate* | X509CRL*)></u>
<!ELEMENT X509IssuerSerial (X509IssuerName, X509SerialNumber) >
<!ELEMENT X509IssuerName (#PCDATA) >
<!ELEMENT X509SubjectName (#PCDATA) >
<!ELEMENT X509SerialNumber (#PCDATA) >
<!ELEMENT X509SKI (#PCDATA) >
<!ELEMENT X509Certificate (#PCDATA) >
<!ELEMENT X509CRL (#PCDATA) >
</pre>
=====================================================================
Donald E. Eastlake 3rd dee3@torque.pothole.com
140 Forest Avenue +1 978-562-2827(h)
Hudson, MA 01749 USA +1 508-261-5434(w)
Received on Friday, 11 August 2000 20:24:48 UTC