- From: <tgindin@us.ibm.com>
- Date: Wed, 16 Aug 2000 15:21:51 -0400
- To: "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
- cc: w3c-ietf-xmldsig@w3.org
There seems to be a misunderstanding about what I proposed. The format of the return is indeed a "bag of certs". What I was recommending was that the (or at least one) example "bag" be one that client software could form into a chain if it so desired. The current example is a bag in which the certificates have no obvious relationship. The most common case for multiple certificates "related to a single key" is indeed the case where the certificates form one or more chains, is it not? Tom Gindin "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>@w3.org on 08/16/2000 02:04:01 PM Sent by: w3c-ietf-xmldsig-request@w3.org To: w3c-ietf-xmldsig@w3.org cc: Subject: Re: X509Data tweaks Hi, From: tgindin@us.ibm.com To: Brian LaMacchia <bal@microsoft.com> cc: "'Donald E. Eastlake 3rd'" <dee3@torque.pothole.com>, w3c-ietf-xmldsig@w3.org Message-ID: <85256938.0081A92F.00@D51MTA04.pok.ibm.com> Date: Fri, 11 Aug 2000 19:36:09 -0400 > Wouldn't the example of multiple X509Data's in a single KeyInfo make >more sense if the certificates formed a chain? There is an example, which I don't think so. There certainly doesn't seem to be any practical necessity for this as most X509 handling software I know about is adapted to getting a miscellaneous bag of certificates and sifting through it for whatever is useful. Mandating a "chain" would start us down the slippery sloap of just what a valid chain is, what valid roots are, what if the chain forks to more than one root, what if the validity periods seem expired (valid if you ar trying to do a historic validation), don't overlap, ..., what about policies, name subordination, etc. etc. etc. Furthermore, last I know, X509 partisans answered PGP based critics by saying that there is no need whatsoever to use X509 certificates in a hierarchial fashion. You can have a pure web-of-trust model that is based on X509 certs. What's a "chain" in that case? Donald >I hope is fairly understandable, in my earlier posting >http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000JulSep/0198.html. >That example has X509Data's for three separate certificates, the first of >which is an end-user certificate which was the signer of the actual >document, the second of which is a CA certificate which is the issuer of >the first certificate, and the third of which is a root CA which was the >issuer of the second certificate. > > Tom Gindin
Received on Wednesday, 16 August 2000 15:22:05 UTC