Re: X509Data tweaks from Donald E. Eastlake 3rd on 2000-08-17 (w3c-ietf-xmldsig@w3.org from July to September 2000)

From: Donald E. Eastlake 3rd <dee3@torque.pothole.com>
Date: Thu, 17 Aug 2000 08:58:39 -0400
To: tgindin@us.ibm.com
cc: w3c-ietf-xmldsig@w3.org
Message-Id: <200008171258.IAA15716@torque.pothole.com>

Oh.

Well, while I think having a chain as the only example might be
misleading, having a chain as one example seems like a reasonable
request...

Donald

From:  tgindin@us.ibm.com
To:  "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
cc:  w3c-ietf-xmldsig@w3.org
Message-ID:  <8525693D.006A5F79.00@D51MTA04.pok.ibm.com>
Date:  Wed, 16 Aug 2000 15:21:51 -0400

>     There seems to be a misunderstanding about what I proposed.
>     The format of the return is indeed a "bag of certs".  What I was
>recommending was that the (or at least one) example "bag" be one that
>client software could form into a chain if it so desired.  The current
>example is a bag in which the certificates have no obvious relationship.
>The most common case for multiple certificates "related to a single key" is
>indeed the case where the certificates form one or more chains, is it not?
>
>          Tom Gindin
>
>
>"Donald E. Eastlake 3rd" <dee3@torque.pothole.com>@w3.org on 08/16/2000
>02:04:01 PM
>
>Sent by:  w3c-ietf-xmldsig-request@w3.org
>
>
>To:   w3c-ietf-xmldsig@w3.org
>cc:
>Subject:  Re: X509Data tweaks
>
>
>
>Hi,
>
>From:  tgindin@us.ibm.com
>To:  Brian LaMacchia <bal@microsoft.com>
>cc:  "'Donald E. Eastlake 3rd'" <dee3@torque.pothole.com>,
>            w3c-ietf-xmldsig@w3.org
>Message-ID:  <85256938.0081A92F.00@D51MTA04.pok.ibm.com>
>Date:  Fri, 11 Aug 2000 19:36:09 -0400
>
>>     Wouldn't the example of multiple X509Data's in a single KeyInfo make
>>more sense if the certificates formed a chain?  There is an example, which
>
>I don't think so.
>
>There certainly doesn't seem to be any practical necessity for this as
>most X509 handling software I know about is adapted to getting a
>miscellaneous bag of certificates and sifting through it for whatever
>is useful.
>
>Mandating a "chain" would start us down the slippery sloap of just
>what a valid chain is, what valid roots are, what if the chain forks
>to more than one root, what if the validity periods seem expired
>(valid if you ar trying to do a historic validation), don't overlap,
>..., what about policies, name subordination, etc. etc. etc.
>Furthermore, last I know, X509 partisans answered PGP based critics by
>saying that there is no need whatsoever to use X509 certificates in a
>hierarchial fashion.  You can have a pure web-of-trust model that is
>based on X509 certs.  What's a "chain" in that case?
>
>Donald
>
>>I hope is fairly understandable, in my earlier posting
>>http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2000JulSep/0198.html.
>>That example has X509Data's for three separate certificates, the first of
>>which is an end-user certificate which was the signer of the actual
>>document, the second of which is a CA certificate which is the issuer of
>>the first certificate, and the third of which is a root CA which was the
>>issuer of the second certificate.
>>
>>          Tom Gindin
>
>
>
>

Received on Thursday, 17 August 2000 08:56:01 UTC