Re: Fw: Re:Call for Review: XML Digital Signature is a W3C Proposed Recommendation from Joseph Reagle on 2001-09-18 (w3c-ietf-xmldsig@w3.org from July to September 2001)

From: Joseph Reagle <reagle@w3.org>
Date: Tue, 18 Sep 2001 16:07:35 -0400
To: "Harada" <harada@prs.cs.fujitsu.co.jp>, <w3c-ietf-xmldsig@w3.org>
Cc: <toriumi@sysrap.cs.fujitsu.co.jp>, merlin <merlin@baltimore.ie>
Message-Id: <20010918200735.3B0E987619@policy.w3.org>

On Monday 17 September 2001 22:17, Harada wrote:
>  I have a comment on the X509CRLs structure.

Thank you for your comment. As you noted in your PR comment the X509 DTD 
had not been changed along with the spec and schema. (The DTD update was 
lost between [1] and [2], after Merlin raised the issue of the X509 
structure in his May [3] email entitled "X509CRL Discord". We altered the 
schema and text, but not the DTD.)

On this basis, I've changed the DTD to:

<!ELEMENT X509Data ((X509IssuerSerial | X509SKI | X509SubjectName |
                    X509Certificate | X509CRL )+ %X509Data.ANY;)>

However, to your question below, I defer to those more knowledgable about 
X509 processing.

>  In verifying, do you use X509CRLs which is created before verifying?
> If X509CRLs are all valid, then there is no problem.
> But if there is an invalid X509CRL of an invalid certificate,
> should I get the new CRL for it?
>  We would retrieve CRLs of invalid ceritifcates if it would be mixed
> X509CRLs structure, and this would occurs invalid process. And if we
> would not retrieve CRLs,
> it would be uncertain to check certificate well by CRLs.
>
>  I think X509CRLs are for speed up of a right system security check.
> So I propose the following structure where we can check valid certificate
> by valid X509CRLs, and check it by the system instead of invalid
> X509CRLs.
>
>  <!ELEMENT X509Data (((X509IssuerSerial | X509SKI | X509SubjectName
>>  | X509Certificate), X509CRL*)+ %X509.ANY;)>

[1] http://www.w3.org/TR/2001/CR-xmldsig-core-20010419/#sec-X509Data
2. Or a single certificate revocation list: 
2.1 The X509CRL element, which contains a base64-encoded certificate 
revocation list (CRL) [X509v3].
[2] http://www.w3.org/TR/2001/PR-xmldsig-core-20010820/#sec-X509Data
 The content of X509Data is: At least one element, from the following set 
of element types ... The X509CRL element, which contains a base64-encoded 
certificate revocation list (CRL) [X509v3].
[3] 
http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2001AprJun/0111.html

Received on Tuesday, 18 September 2001 16:08:46 UTC