RE: X509Data tweaks from Kevin Regan on 2000-08-16 (w3c-ietf-xmldsig@w3.org from July to September 2000)

From: Kevin Regan <kevinr@valicert.com>
Date: Wed, 16 Aug 2000 13:46:37 -0700
To: tgindin@us.ibm.com, "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
Cc: w3c-ietf-xmldsig@w3.org
Message-ID: <27FF4FAEA8CDD211B97E00902745CBE201AB44F9@seine.valicert.com>

I'm curious why the leaning is now towards multiple certificates
in a single X509Data rather than 1 certificate per X509Data with
multiple X509Data elements?  Is there a good reason for this?  If not,
I don't think it would be appropriate to change the spec at this
point...

--Kevin

-----Original Message-----
From: tgindin@us.ibm.com [mailto:tgindin@us.ibm.com]
Sent: Wednesday, August 16, 2000 12:22 PM
To: Donald E. Eastlake 3rd
Cc: w3c-ietf-xmldsig@w3.org
Subject: Re: X509Data tweaks


     There seems to be a misunderstanding about what I proposed.
     The format of the return is indeed a "bag of certs".  What I was
recommending was that the (or at least one) example "bag" be one that
client software could form into a chain if it so desired.  The current
example is a bag in which the certificates have no obvious relationship.
The most common case for multiple certificates "related to a single key"
is
indeed the case where the certificates form one or more chains, is it
not?

          Tom Gindin


"Donald E. Eastlake 3rd" <dee3@torque.pothole.com>@w3.org on 08/16/2000
02:04:01 PM

Sent by:  w3c-ietf-xmldsig-request@w3.org


To:   w3c-ietf-xmldsig@w3.org
cc:
Subject:  Re: X509Data tweaks



Hi,

From:  tgindin@us.ibm.com
To:  Brian LaMacchia <bal@microsoft.com>
cc:  "'Donald E. Eastlake 3rd'" <dee3@torque.pothole.com>,
            w3c-ietf-xmldsig@w3.org
Message-ID:  <85256938.0081A92F.00@D51MTA04.pok.ibm.com>
Date:  Fri, 11 Aug 2000 19:36:09 -0400

>     Wouldn't the example of multiple X509Data's in a single KeyInfo
make
>more sense if the certificates formed a chain?  There is an example,
which

I don't think so.

There certainly doesn't seem to be any practical necessity for this as
most X509 handling software I know about is adapted to getting a
miscellaneous bag of certificates and sifting through it for whatever
is useful.

Mandating a "chain" would start us down the slippery sloap of just
what a valid chain is, what valid roots are, what if the chain forks
to more than one root, what if the validity periods seem expired
(valid if you ar trying to do a historic validation), don't overlap,
..., what about policies, name subordination, etc. etc. etc.
Furthermore, last I know, X509 partisans answered PGP based critics by
saying that there is no need whatsoever to use X509 certificates in a
hierarchial fashion.  You can have a pure web-of-trust model that is
based on X509 certs.  What's a "chain" in that case?

Donald

>I hope is fairly understandable, in my earlier posting
>http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000JulSep/0198.ht
ml.
>That example has X509Data's for three separate certificates, the first
of
>which is an end-user certificate which was the signer of the actual
>document, the second of which is a CA certificate which is the issuer
of
>the first certificate, and the third of which is a root CA which was
the
>issuer of the second certificate.
>
>          Tom Gindin

Received on Wednesday, 16 August 2000 16:56:24 UTC