Re: X509Data tweaks


Well, while I think having a chain as the only example might be
misleading, having a chain as one example seems like a reasonable


To:  "Donald E. Eastlake 3rd" <>
Message-ID:  <>
Date:  Wed, 16 Aug 2000 15:21:51 -0400

>     There seems to be a misunderstanding about what I proposed.
>     The format of the return is indeed a "bag of certs".  What I was
>recommending was that the (or at least one) example "bag" be one that
>client software could form into a chain if it so desired.  The current
>example is a bag in which the certificates have no obvious relationship.
>The most common case for multiple certificates "related to a single key" is
>indeed the case where the certificates form one or more chains, is it not?
>          Tom Gindin
>"Donald E. Eastlake 3rd" <> on 08/16/2000
>02:04:01 PM
>Sent by:
>Subject:  Re: X509Data tweaks
>To:  Brian LaMacchia <>
>cc:  "'Donald E. Eastlake 3rd'" <>,
>Message-ID:  <>
>Date:  Fri, 11 Aug 2000 19:36:09 -0400
>>     Wouldn't the example of multiple X509Data's in a single KeyInfo make
>>more sense if the certificates formed a chain?  There is an example, which
>I don't think so.
>There certainly doesn't seem to be any practical necessity for this as
>most X509 handling software I know about is adapted to getting a
>miscellaneous bag of certificates and sifting through it for whatever
>is useful.
>Mandating a "chain" would start us down the slippery sloap of just
>what a valid chain is, what valid roots are, what if the chain forks
>to more than one root, what if the validity periods seem expired
>(valid if you ar trying to do a historic validation), don't overlap,
>..., what about policies, name subordination, etc. etc. etc.
>Furthermore, last I know, X509 partisans answered PGP based critics by
>saying that there is no need whatsoever to use X509 certificates in a
>hierarchial fashion.  You can have a pure web-of-trust model that is
>based on X509 certs.  What's a "chain" in that case?
>>I hope is fairly understandable, in my earlier posting
>>That example has X509Data's for three separate certificates, the first of
>>which is an end-user certificate which was the signer of the actual
>>document, the second of which is a CA certificate which is the issuer of
>>the first certificate, and the third of which is a root CA which was the
>>issuer of the second certificate.
>>          Tom Gindin

Received on Thursday, 17 August 2000 08:56:01 UTC