- From: Donald E. Eastlake 3rd <dee3@torque.pothole.com>
- Date: Thu, 17 Aug 2000 08:50:58 -0400
- To: tgindin@us.ibm.com, Kevin Regan <kevinr@valicert.com>, w3c-ietf-xmldsig@w3.org
It says in the Syntax and Processing document "Multiple declarations within KeyInfo refer to the same key." An X509Data element is a declaration within a KeyInfo element. The conensus is that other certificates than ones actualy containing a key don't "refer to" that key. Thus the minor change of putting multiple certificates from a bag in an X509Data rather than one certificate each in multiple X509Data's. All the groups involved in current interoperability testing seem to think this minor change is fine. I'm sorry if you guys don't think the above is sufficient motivation for this minor change. Most people seem to think it is. And since you seem to agree that it is not a big deal, unless some consensus materializes to change it again, it will stay multiple certificates per X509Data element in this document. (And if the current consensus for multiple certificates per X509Data element disolves into anarchy, the entire section will be pulled from this document and there will be no standard in this area for some time until a hypothetical additional document gets written and approved. I believe this would damange interoperabiiity.) Donald From: tgindin@us.ibm.com X-Lotus-FromDomain: IBMUS To: Kevin Regan <kevinr@valicert.com> cc: "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>, w3c-ietf-xmldsig@w3.org Message-ID: <8525693D.00779C08.00@D51MTA04.pok.ibm.com> Date: Wed, 16 Aug 2000 17:46:25 -0400 Content-type: text/plain; charset=us-ascii Content-Disposition: inline > I don't know what this issue has to do with whether there are multiple >certificates in an X509Data, or multiple single-certificate X509Data's in a >KeyInfo either. The example I was suggesting go into the specification >actually had multiple related certificates in separate X509Data's within a >single KeyInfo. > > Tom Gindin > >Kevin Regan <kevinr@valicert.com>@w3.org on 08/16/2000 05:10:53 PM > >Sent by: w3c-ietf-xmldsig-request@w3.org > > >To: "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>, Kevin Regan > <kevinr@valicert.com> >cc: w3c-ietf-xmldsig@w3.org >Subject: RE: X509Data tweaks > > > > >I did notice the initial wording that talked about only >having certificates "related" to the authentication public >key. However, I still don't see why this change has anything >to do with moving from (a) multiple X509Data elements with a >single X509Certificate to (b) a single X509Data element with >multiple X509Certificate elements. > >It seems that the coin flip went with (a) initially. I don't >see why the change that you mentioned pushes us closer to (b)... > >--Kevin > >-----Original Message----- >From: Donald E. Eastlake 3rd [mailto:dee3@torque.pothole.com] >Sent: Wednesday, August 16, 2000 2:16 PM >To: Kevin Regan >Cc: w3c-ietf-xmldsig@w3.org >Subject: Re: X509Data tweaks > > > >I would say because the spec was being interpreted to prohibit having >any cert in KeyInfo except ones with the signature verifying public >key in them and requireing the use of RetrievalMethod to indicate >any other related certs. > >Donald > >From: Kevin Regan <kevinr@valicert.com> >Message-ID: ><27FF4FAEA8CDD211B97E00902745CBE201AB44F9@seine.valicert.com> >To: tgindin@us.ibm.com, "Donald E. Eastlake 3rd" ><dee3@torque.pothole.com> >Cc: w3c-ietf-xmldsig@w3.org >Date: Wed, 16 Aug 2000 13:46:37 -0700 > >>I'm curious why the leaning is now towards multiple certificates >>in a single X509Data rather than 1 certificate per X509Data with >>multiple X509Data elements? Is there a good reason for this? If not, >>I don't think it would be appropriate to change the spec at this >>point... >> >>--Kevin > > > >
Received on Thursday, 17 August 2000 08:48:21 UTC