Re: How do I represent a Certificate Chain

Hi Christian,

Well, the text in Section 4.4.4 of XML-DSIG

    All certificates appearing in an X509Data element MUST relate to the
    validation key by either containing it or being part of a
    certification chain that terminates in a certificate containing the
    validation key.

and the example

      <KeyInfo>
        <!-- ... -->
        <X509Data> <!-- certificate chain -->
          <!--Signer cert, issuer CN=arbolCA,OU=FVT,O=IBM,C=US, serial 4-->
          <X509Certificate>MIICXTCCA..</X509Certificate>
          <!-- Intermediate cert subject CN=arbolCA,OU=FVT,O=IBM,C=US
               issuer CN=tootiseCA,OU=FVT,O=Bridgepoint,C=US -->
          <X509Certificate>MIICPzCCA...</X509Certificate>
          <!-- Root cert subject CN=tootiseCA,OU=FVT,O=Bridgepoint,C=US -->
          <X509Certificate>MIICSTCCA...</X509Certificate>
        </X509Data>
      </KeyInfo>

seem to suggest the first structure.

Ari

>Hi all,
>
>how do I represent a chain of certificates? If I have 3 certificates,
>
>
><ds:X509Data>
><ds:X509Certificate>base64ofcert1</ds:X509Certificate>
><ds:X509Certificate>base64ofcert2</ds:X509Certificate>
><ds:X509Certificate>base64ofcert3</ds:X509Certificate>
></ds:X509Data>
>
>
>or (which would make more sense to me):
>
><ds:X509Data>
><ds:X509Certificate>base64ofcert1</ds:X509Certificate>
></ds:X509Data>
><ds:X509Data>
><ds:X509Certificate>base64ofcert2</ds:X509Certificate>
></ds:X509Data>
><ds:X509Data>
><ds:X509Certificate>base64ofcert3</ds:X509Certificate>
></ds:X509Data>
>
>
>
>Regards,
>Christian
>

Received on Tuesday, 22 January 2002 14:55:03 UTC