- From: Ari Kermaier <arik@phaos.com>
- Date: Tue, 22 Jan 2002 14:55:00 -0500
- To: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>, w3c-ietf-xmldsig@w3.org
Hi Christian, Well, the text in Section 4.4.4 of XML-DSIG All certificates appearing in an X509Data element MUST relate to the validation key by either containing it or being part of a certification chain that terminates in a certificate containing the validation key. and the example <KeyInfo> <!-- ... --> <X509Data> <!-- certificate chain --> <!--Signer cert, issuer CN=arbolCA,OU=FVT,O=IBM,C=US, serial 4--> <X509Certificate>MIICXTCCA..</X509Certificate> <!-- Intermediate cert subject CN=arbolCA,OU=FVT,O=IBM,C=US issuer CN=tootiseCA,OU=FVT,O=Bridgepoint,C=US --> <X509Certificate>MIICPzCCA...</X509Certificate> <!-- Root cert subject CN=tootiseCA,OU=FVT,O=Bridgepoint,C=US --> <X509Certificate>MIICSTCCA...</X509Certificate> </X509Data> </KeyInfo> seem to suggest the first structure. Ari >Hi all, > >how do I represent a chain of certificates? If I have 3 certificates, > > ><ds:X509Data> ><ds:X509Certificate>base64ofcert1</ds:X509Certificate> ><ds:X509Certificate>base64ofcert2</ds:X509Certificate> ><ds:X509Certificate>base64ofcert3</ds:X509Certificate> ></ds:X509Data> > > >or (which would make more sense to me): > ><ds:X509Data> ><ds:X509Certificate>base64ofcert1</ds:X509Certificate> ></ds:X509Data> ><ds:X509Data> ><ds:X509Certificate>base64ofcert2</ds:X509Certificate> ></ds:X509Data> ><ds:X509Data> ><ds:X509Certificate>base64ofcert3</ds:X509Certificate> ></ds:X509Data> > > > >Regards, >Christian >
Received on Tuesday, 22 January 2002 14:55:03 UTC