thoughts on X509Data

I want to share one final thought about X509Data.  When creating a
KeyName, KeyValue,
PGPData, MgmtData, RetrievalMethod, etc., we are referring to the data
for exactly one key.
However, with X509Data, we can refer to a multitude of
keys/certificates.  I propose that
we bring X509Data (back) in line with all the other KeyInfo elements.
This would make a lot
more sense for implementations that come across an X509Data element.  If
we restrict
each X509Data element to refer to only a single certificate, we offer
consistency with all
the other KeyInfo elements.  Without this, X509Data becomes somewhat of
an anomaly.

To this end, I propose the following:

<!ELEMENT X509Data ( (X509IssuerSerial?, X509SKI?, X509SubjectName?) |
X509Certificate | X509CRL )>

In other words, either one of X509IssuerSerial, X509SKI, or
X509SubjectName (in order), or one X509Certificate, or
one X509CRL.  This seems much more consistent with the other KeyInfo
elements and is much easier
to deal with conceptually, from an API standpoint, and for


Received on Thursday, 17 August 2000 16:37:52 UTC