Re: X509Data tweaks

Hi,

From:  tgindin@us.ibm.com
To:  Brian LaMacchia <bal@microsoft.com>
cc:  "'Donald E. Eastlake 3rd'" <dee3@torque.pothole.com>,
            w3c-ietf-xmldsig@w3.org
Message-ID:  <85256938.0081A92F.00@D51MTA04.pok.ibm.com>
Date:  Fri, 11 Aug 2000 19:36:09 -0400

>     Wouldn't the example of multiple X509Data's in a single KeyInfo make
>more sense if the certificates formed a chain?  There is an example, which

I don't think so.

There certainly doesn't seem to be any practical necessity for this as
most X509 handling software I know about is adapted to getting a
miscellaneous bag of certificates and sifting through it for whatever
is useful.

Mandating a "chain" would start us down the slippery sloap of just
what a valid chain is, what valid roots are, what if the chain forks
to more than one root, what if the validity periods seem expired
(valid if you ar trying to do a historic validation), don't overlap,
..., what about policies, name subordination, etc. etc. etc.
Furthermore, last I know, X509 partisans answered PGP based critics by
saying that there is no need whatsoever to use X509 certificates in a
hierarchial fashion.  You can have a pure web-of-trust model that is
based on X509 certs.  What's a "chain" in that case?

Donald

>I hope is fairly understandable, in my earlier posting
>http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000JulSep/0198.html.
>That example has X509Data's for three separate certificates, the first of
>which is an end-user certificate which was the signer of the actual
>document, the second of which is a CA certificate which is the issuer of
>the first certificate, and the third of which is a root CA which was the
>issuer of the second certificate.
>
>          Tom Gindin

Received on Wednesday, 16 August 2000 14:01:15 UTC