Re: The X509Data Element clarification...

How about

    Any X509IssuerSerial, X509SKI, and X509SubjectName elements that
    appear MUST refer to the certficiate or certificates containing
    the validation key.  All such elements that refer to a
    particular individual certificate MUST be grouped inside a
    single X509Data element and if the certificate to which they
    refer appears, it MUST also be in that X509Data element.

    Any X509IssuerSerial, X509SKI, and X509SubjectName elements that
    relate to the same key but different certificates MUST be
    grouped within a single KeyInfo but MAY occur in multiple
    X509Data elements.

    All certificates appearing in an X509Data element MUST relate to
    the validation key by either containing it or being part of a
    certification chain that termiantes in a certificate containing
    the validation key.

    No ordering is implied by the above constraints.

Donald

From:  "Joseph M. Reagle Jr." <reagle@w3.org>
Message-Id:  <4.3.2.7.2.20010213175523.02b18520@rpcp.mit.edu>
Date:  Tue, 13 Feb 2001 17:58:19 -0500
To:  "Donald E. Eastlake 3rd" <lde008@dma.isg.mot.com>
Cc:  Rich Salz <rsalz@caveosystems.com>, w3c-ietf-xmldsig@w3.org,
            lde008@dma.isg.mot.com
In-Reply-To:  <200102131551.KAA22833@noah.dma.isg.mot.com>
References:  <Your message of "Mon, 12 Feb 2001 22:24:41 EST." <3A88A8F9.F77FA4D6@cav
eosystems.com>

>At 10:51 2/13/2001 -0500, Donald E. Eastlake 3rd wrote:
>> >> All X509IssuerSerial, X509SKI, and X509SubjectName elements must refer
>> >> to certficiates with the validation key.  However, because you can
>> >> have multiple cetificates for the same key in the same X509Data
>> >> element, there may be multiple such elements referring to different
>> >> certificates or, of course, the same element.
>> >I assume you mean "certificate" for that last word.
>>Yes.
>> >Also, what about something like "No ordering is implied."
>>Sounds reasonable.
>
>I'm trying to integrate this paragraph:
>
>>All X509IssuerSerial, X509SKI, and X509SubjectName elements must refer to 
>>certficiates containing the validation key. However, since multiple 
>>cetificates for the same key are permitted in the same X509Data element, 
>>there may be multiple such elements referring to different certificates or, 
>>of course, the same certificate. No ordering of these element types is 
>>implied.
>
>with this paragraph:
>
>>Multiple declarations about a single certificate (e.g., a X509SubjectName 
>>and X509IssuerSerial element) MUST be grouped inside a single X509Data 
>>element; multiple declarations about the same key but different X509 
>>certificates (related to that single key) MUST be grouped within a single 
>>KeyInfo element but MAY occur in multiple X509Data elements.
>
>in a way that is comprehensible, but it's not working too well. Someone else 
>want to suggest some text?
>
>
>__
>Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
>W3C Policy Analyst                mailto:reagle@w3.org
>IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature
>W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/
>

Received on Tuesday, 13 February 2001 23:01:33 UTC