- From: Tom Gindin <tgindin@us.ibm.com>
- Date: Wed, 14 Feb 2001 07:58:12 -0500
- To: "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
- Cc: "Donald E. Eastlake 3rd" <lde008@dma.isg.mot.com>, w3c-ietf-xmldsig@w3.org
This wording is better than what I was coming up with. But on a
related subject, why isn't the rule about elements for different but
related certificates that they SHOULD occur within different X509Data
elements of the same KeyInfo element? I realize that it is too late to
impose a MUST rule on this.
Tom Gindin
"Donald E. Eastlake 3rd" <dee3@torque.pothole.com>@w3.org on 02/13/2001
11:01:30 PM
Sent by: w3c-ietf-xmldsig-request@w3.org
To: "Donald E. Eastlake 3rd" <lde008@dma.isg.mot.com>,
w3c-ietf-xmldsig@w3.org
cc:
Subject: Re: The X509Data Element clarification...
How about
Any X509IssuerSerial, X509SKI, and X509SubjectName elements that
appear MUST refer to the certficiate or certificates containing
the validation key. All such elements that refer to a
particular individual certificate MUST be grouped inside a
single X509Data element and if the certificate to which they
refer appears, it MUST also be in that X509Data element.
Any X509IssuerSerial, X509SKI, and X509SubjectName elements that
relate to the same key but different certificates MUST be
grouped within a single KeyInfo but MAY occur in multiple
X509Data elements.
All certificates appearing in an X509Data element MUST relate to
the validation key by either containing it or being part of a
certification chain that termiantes in a certificate containing
the validation key.
No ordering is implied by the above constraints.
Donald
From: "Joseph M. Reagle Jr." <reagle@w3.org>
Message-Id: <4.3.2.7.2.20010213175523.02b18520@rpcp.mit.edu>
Date: Tue, 13 Feb 2001 17:58:19 -0500
To: "Donald E. Eastlake 3rd" <lde008@dma.isg.mot.com>
Cc: Rich Salz <rsalz@caveosystems.com>, w3c-ietf-xmldsig@w3.org,
lde008@dma.isg.mot.com
In-Reply-To: <200102131551.KAA22833@noah.dma.isg.mot.com>
References: <Your message of "Mon, 12 Feb 2001 22:24:41 EST."
<3A88A8F9.F77FA4D6@cav
eosystems.com>
>At 10:51 2/13/2001 -0500, Donald E. Eastlake 3rd wrote:
>> >> All X509IssuerSerial, X509SKI, and X509SubjectName elements must
refer
>> >> to certficiates with the validation key. However, because you can
>> >> have multiple cetificates for the same key in the same X509Data
>> >> element, there may be multiple such elements referring to different
>> >> certificates or, of course, the same element.
>> >I assume you mean "certificate" for that last word.
>>Yes.
>> >Also, what about something like "No ordering is implied."
>>Sounds reasonable.
>
>I'm trying to integrate this paragraph:
>
>>All X509IssuerSerial, X509SKI, and X509SubjectName elements must refer to
>>certficiates containing the validation key. However, since multiple
>>cetificates for the same key are permitted in the same X509Data element,
>>there may be multiple such elements referring to different certificates
or,
>>of course, the same certificate. No ordering of these element types is
>>implied.
>
>with this paragraph:
>
>>Multiple declarations about a single certificate (e.g., a X509SubjectName
>>and X509IssuerSerial element) MUST be grouped inside a single X509Data
>>element; multiple declarations about the same key but different X509
>>certificates (related to that single key) MUST be grouped within a single
>>KeyInfo element but MAY occur in multiple X509Data elements.
>
>in a way that is comprehensible, but it's not working too well. Someone
else
>want to suggest some text?
>
>
>__
>Joseph Reagle Jr. http://www.w3.org/People/Reagle/
>W3C Policy Analyst mailto:reagle@w3.org
>IETF/W3C XML-Signature Co-Chair http://www.w3.org/Signature
>W3C XML Encryption Chair http://www.w3.org/Encryption/2001/
>
Received on Wednesday, 14 February 2001 07:59:11 UTC