- From: Kevin Regan <kevinr@valicert.com>
- Date: Wed, 16 Aug 2000 14:22:01 -0700
- To: Kevin Regan <kevinr@valicert.com>, "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
- Cc: w3c-ietf-xmldsig@w3.org
- Message-ID: <27FF4FAEA8CDD211B97E00902745CBE201AB4512@seine.valicert.com>
It seems to me that it might make sense to simply have each X509Data element define the information associated with a single certificate. It would make it much easier for implementers to find the associated certificate when viewing the X509Data element. For example, when moving through the X509Data element, the X509SubjectName and X509IssuerSerial elements may be encountered. It would be useful to know that these referred to the same certificate. If an X509Certificate element is found, it should refer to the same certificate as that referred to by X509SubjectName and X509IssuerSerial. If there is no X509SubjectName or X509IssuerSerial, there should still only be one unique X509Certificate per X509Data... --Kevin ----- -----Original Message----- From: Kevin Regan Sent: Wednesday, August 16, 2000 2:33 PM To: 'Donald E. Eastlake 3rd'; Kevin Regan Cc: w3c-ietf-xmldsig@w3.org Subject: RE: X509Data tweaks I did notice the initial wording that talked about only having certificates "related" to the authentication public key. However, I still don't see why this change has anything to do with moving from (a) multiple X509Data elements with a single X509Certificate to (b) a single X509Data element with multiple X509Certificate elements. It seems that the coin flip went with (a) initially. I don't see why the change that you mentioned pushes us closer to (b)... --Kevin -----Original Message----- From: Donald E. Eastlake 3rd [mailto:dee3@torque.pothole.com] Sent: Wednesday, August 16, 2000 2:16 PM To: Kevin Regan Cc: w3c-ietf-xmldsig@w3.org Subject: Re: X509Data tweaks I would say because the spec was being interpreted to prohibit having any cert in KeyInfo except ones with the signature verifying public key in them and requireing the use of RetrievalMethod to indicate any other related certs. Donald From: Kevin Regan <kevinr@valicert.com> Message-ID: <27FF4FAEA8CDD211B97E00902745CBE201AB44F9@seine.valicert.com> To: tgindin@us.ibm.com, "Donald E. Eastlake 3rd" <dee3@torque.pothole.com> Cc: w3c-ietf-xmldsig@w3.org Date: Wed, 16 Aug 2000 13:46:37 -0700 >I'm curious why the leaning is now towards multiple certificates >in a single X509Data rather than 1 certificate per X509Data with >multiple X509Data elements? Is there a good reason for this? If not, >I don't think it would be appropriate to change the spec at this >point... > >--Kevin
Received on Wednesday, 16 August 2000 17:31:47 UTC