Re: X509Data tweaks

It says in the Syntax and Processing document "Multiple declarations
within KeyInfo refer to the same key."  An X509Data element is a
declaration within a KeyInfo element.  The conensus is that other
certificates than ones actualy containing a key don't "refer to" that
key.  Thus the minor change of putting multiple certificates from a
bag in an X509Data rather than one certificate each in multiple
X509Data's.  All the groups involved in current interoperability
testing seem to think this minor change is fine.

I'm sorry if you guys don't think the above is sufficient motivation
for this minor change.  Most people seem to think it is.  And since
you seem to agree that it is not a big deal, unless some consensus
materializes to change it again, it will stay multiple certificates
per X509Data element in this document.

(And if the current consensus for multiple certificates per X509Data
element disolves into anarchy, the entire section will be pulled from
this document and there will be no standard in this area for some time
until a hypothetical additional document gets written and approved.  I
believe this would damange interoperabiiity.)


X-Lotus-FromDomain:  IBMUS
To:  Kevin Regan <>
cc:  "Donald E. Eastlake 3rd" <>,
Message-ID:  <>
Date:  Wed, 16 Aug 2000 17:46:25 -0400
Content-type:  text/plain; charset=us-ascii
Content-Disposition:  inline
>     I don't know what this issue has to do with whether there are multiple
>certificates in an X509Data, or multiple single-certificate X509Data's in a
>KeyInfo either.  The example I was suggesting go into the specification
>actually had multiple related certificates in separate X509Data's within a
>single KeyInfo.
>          Tom Gindin
>Kevin Regan <> on 08/16/2000 05:10:53 PM
>Sent by:
>To:   "Donald E. Eastlake 3rd" <>, Kevin Regan
>      <>
>Subject:  RE: X509Data tweaks
>I did notice the initial wording that talked about only
>having certificates "related" to the authentication public
>key.  However, I still don't see why this change has anything
>to do with moving from (a) multiple X509Data elements with a
>single X509Certificate to (b) a single X509Data element with
>multiple X509Certificate elements.
>It seems that the coin flip went with (a) initially.  I don't
>see why the change that you mentioned pushes us closer to (b)...
>-----Original Message-----
>From: Donald E. Eastlake 3rd []
>Sent: Wednesday, August 16, 2000 2:16 PM
>To: Kevin Regan
>Subject: Re: X509Data tweaks
>I would say because the spec was being interpreted to prohibit having
>any cert in KeyInfo except ones with the signature verifying public
>key in them and requireing the use of RetrievalMethod to indicate
>any other related certs.
>From:  Kevin Regan <>
>To:, "Donald E. Eastlake 3rd"
>Date:  Wed, 16 Aug 2000 13:46:37 -0700
>>I'm curious why the leaning is now towards multiple certificates
>>in a single X509Data rather than 1 certificate per X509Data with
>>multiple X509Data elements?  Is there a good reason for this?  If not,
>>I don't think it would be appropriate to change the spec at this

Received on Thursday, 17 August 2000 08:48:21 UTC