- From: Donald E. Eastlake 3rd <dee3@torque.pothole.com>
- Date: Wed, 16 Aug 2000 14:14:32 -0400
- To: w3c-ietf-xmldsig@w3.org
Hi, From: Brian LaMacchia <bal@microsoft.com> Message-ID: <FB9575840F91DC4EACEB5CD6F573A20DB8A043@red-msg-20.redmond.corp.microsoft.com> To: "'Donald E. Eastlake 3rd'" <dee3@torque.pothole.com> Cc: w3c-ietf-xmldsig@w3.org Date: Fri, 11 Aug 2000 15:33:39 -0700 >Don-- > >I think your DTD for the X509Data element is slightly incorrect. What you >sent around would allow zero-or-more certs or zero-or-more CRLs in a single >X509Data. What I believe was proposed in Pittsburgh was this: OK, I'll admit mine was a bit off... It should be one-or-more certs. And I'll buy zero-or-more CRLs like you say above (although below you show zero-or-one). But is it best to allow just a CRL? Why not some identification stuff, including optionally one-or-more certs, plus zero or more CRLs. This seems closer to a PKCS bag of certs/CRLs. But I don't feel that strongly on this point and if implementors prefer what you have below, I won't argue much... Donald > <element name='X509Data'> > <complexType content='elementOnly'> > <choice minOccurs='1' maxOccurs='1'> > <sequence minOccurs='1' maxOccurs='unbounded'> > <choice minOccurs='1' maxOccurs='1'> > <element ref='ds:X509IssuerSerial'/> > <element name='X509SKI' type='ds:CryptoBinary'/> > <element name='X509SubjectName' type='string'/> > <element name='X509Certificate' type='ds:CryptoBinary'/> > </choice> > </sequence> > <element name='X509CRL' type='ds:CryptoBinary' minOccurs='1' maxOccurs='1'> > </choice> > </complexType> > </element> > >or in DTD: > > <!ELEMENT X509Data ((X509IssuerSerial | X509SKI | X509SubjectName | >X509Certificate)+ | X509CRL) > > <!ELEMENT X509IssuerSerial (X509IssuerName, X509SerialNumber) > > <!ELEMENT X509IssuerName (#PCDATA) > > <!ELEMENT X509SubjectName (#PCDATA) > > <!ELEMENT X509SerialNumber (#PCDATA) > > <!ELEMENT X509SKI (#PCDATA) > > <!ELEMENT X509Certificate (#PCDATA) > > <!ELEMENT X509CRL (#PCDATA) > > >That is, a single X509Data may contain a collection of certs, SKI, >SubjectName & IssuerSerial identifiers, so long as (a) all SKI, SubjectName >& IssuerSerial references refer to the same key, and (b) at least one of the >certs has a subject public key that will verify the signature. >Alternatively, an X509Data may contain exactly one CRL (what you have below >would allow multiple CRLs within a single X509Data). > > --bal > >-----Original Message----- >From: Donald E. Eastlake 3rd [mailto:dee3@torque.pothole.com] >Sent: Friday, August 11, 2000 12:57 PM >To: w3c-ietf-xmldsig@w3.org >Subject: X509Data tweaks > > >Here is a modified version of the section on X509Data as per the >discussion in Pittsburgh: > ><h3>4.4.4 The <a id="sec-X509Data" >name="sec-X509Data"><code>X509Data</code></a> Element</h3> > ><p>An <code>X509Data</code> element within <code>KeyInfo</code> >contains one or more identifiers of keys or identifiers of 509 >certificates or X509 certificates or X509 certificate revocation lists >that may be useful for validation. Five types of <code>X509Data</code> >are defined: > ><ol> > <li>The <code>X509IssuerSerial</code> element, which contains an > X.509 issuer distinguished name/serial number pair that SHOULD be > compliant with <u>RFC2253 [<a href="#ref-LDAP-DN">LDAP-DN</a>]</u>, > </li> > <li>The <code>X509SubjectName</code> element, which contains an > X.509 subject distinguished name that SHOULD be compliant with > <u>RFC2253 [<a href="#ref-LDAP-DN">LDAP-DN</a>]</u>, </li> > <li>The <code>X509SKI</code> element, which contains an X.509 subject key > identifier value.</li> > <li>The <code>X509Certificate</code> element, > which contains a Base64-encoded X.509v3 certificate, and</li> > <li>The <code>X509CRL</code> element, which contains a > Base64-encoded X.509v2 certificate revocation list (CRL).</li> ></ol> > ><p>Multiple declarations about a single certificate (e.g., a ><code>X509SubjectName</code> and <code>X509IssuerSerial</code> >element) MUST be grouped inside a single <code>X509Data</code> >element; multiple declarations about the same key but different >certificates (related to that single key) MUST be grouped within a >single <code>KeyInfo</code> element but MAY occur in multiple ><code>X509Data</code> elements. For example, the >following block contains two pointers to certificate-A (issuer/serial >number and SKI) and a single reference to certificate-B >(SubjectName):</p> > ><pre class="xml-example"> <X509Data> <!-- two pointers to >certificate-A --\ >> > <X509IssuerSerial> > <X509IssuerName><span >class="tx">CN=TAMURA Kent, OU=TRL, O=IBM, > L=Yamato-shi, ST=Kanagawa, C=JP</span></X509IssuerName> > <X509SerialNumber>12345678</X509SerialNumber> > </X509IssuerSerial> > <X509SKI>31d97bd7</X509SKI> > </X509Data> > <X509Data> <!-- single pointer to certificate-B --> > <X509SubjectName>Subject of <u>Certificate >B</u></X509SubjectName> > </X509Data></pre> > ><p><u>Note: Direct provision is not made for a PKCS#7 encoded >"bag" of certificates or CRLs but such a set of >certificates or CRLs can occur within an X509Data element. Whenever >multiple certificates occur in an <code>X509Data</code> element, at >least one such certificate must contain the public key which verifies >the signature.</u></p> > >;element name='X509IssuerName' type='string' minOccurs='1' maxOccurs='1'/\ >> > <element name='X509SerialNumber' type='<u>integer</u>' >minOccurs='1' maxO\ >ccurs='1'/> > </sequence> > </complexType> > </element> ></pre> > ><pre class="xml-dtd"> > DTD: > > <u> <!ELEMENT X509Data ((X509IssuerSerial | X509SKI | X509SubjectName)+ >| > X509Certificate* | X509CRL*)></u> > <!ELEMENT X509IssuerSerial (X509IssuerName, X509SerialNumber) > > <!ELEMENT X509IssuerName (#PCDATA) > > <!ELEMENT X509SubjectName (#PCDATA) > > <!ELEMENT X509SerialNumber (#PCDATA) > > <!ELEMENT X509SKI (#PCDATA) > > <!ELEMENT X509Certificate (#PCDATA) > > <!ELEMENT X509CRL (#PCDATA) > ></pre> > >===================================================================== > Donald E. Eastlake 3rd dee3@torque.pothole.com > 140 Forest Avenue +1 978-562-2827(h) > Hudson, MA 01749 USA +1 508-261-5434(w)
Received on Wednesday, 16 August 2000 14:11:47 UTC