RE: X509Data tweaks from tgindin@us.ibm.com on 2000-08-16 (w3c-ietf-xmldsig@w3.org from July to September 2000)

From: <tgindin@us.ibm.com>
Date: Wed, 16 Aug 2000 17:46:25 -0400
To: Kevin Regan <kevinr@valicert.com>
cc: "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>, w3c-ietf-xmldsig@w3.org
Message-ID: <8525693D.00779C08.00@D51MTA04.pok.ibm.com>

     I don't know what this issue has to do with whether there are multiple
certificates in an X509Data, or multiple single-certificate X509Data's in a
KeyInfo either.  The example I was suggesting go into the specification
actually had multiple related certificates in separate X509Data's within a
single KeyInfo.

          Tom Gindin

Kevin Regan <kevinr@valicert.com>@w3.org on 08/16/2000 05:10:53 PM

Sent by:  w3c-ietf-xmldsig-request@w3.org


To:   "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>, Kevin Regan
      <kevinr@valicert.com>
cc:   w3c-ietf-xmldsig@w3.org
Subject:  RE: X509Data tweaks




I did notice the initial wording that talked about only
having certificates "related" to the authentication public
key.  However, I still don't see why this change has anything
to do with moving from (a) multiple X509Data elements with a
single X509Certificate to (b) a single X509Data element with
multiple X509Certificate elements.

It seems that the coin flip went with (a) initially.  I don't
see why the change that you mentioned pushes us closer to (b)...

--Kevin

-----Original Message-----
From: Donald E. Eastlake 3rd [mailto:dee3@torque.pothole.com]
Sent: Wednesday, August 16, 2000 2:16 PM
To: Kevin Regan
Cc: w3c-ietf-xmldsig@w3.org
Subject: Re: X509Data tweaks



I would say because the spec was being interpreted to prohibit having
any cert in KeyInfo except ones with the signature verifying public
key in them and requireing the use of RetrievalMethod to indicate
any other related certs.

Donald

From:  Kevin Regan <kevinr@valicert.com>
Message-ID:
<27FF4FAEA8CDD211B97E00902745CBE201AB44F9@seine.valicert.com>
To:  tgindin@us.ibm.com, "Donald E. Eastlake 3rd"
<dee3@torque.pothole.com>
Cc:  w3c-ietf-xmldsig@w3.org
Date:  Wed, 16 Aug 2000 13:46:37 -0700

>I'm curious why the leaning is now towards multiple certificates
>in a single X509Data rather than 1 certificate per X509Data with
>multiple X509Data elements?  Is there a good reason for this?  If not,
>I don't think it would be appropriate to change the spec at this
>point...
>
>--Kevin

Received on Wednesday, 16 August 2000 17:46:47 UTC