- From: Ari Kermaier <arik@phaos.com>
- Date: Tue, 22 Jan 2002 14:55:00 -0500
- To: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>, w3c-ietf-xmldsig@w3.org
Hi Christian,
Well, the text in Section 4.4.4 of XML-DSIG
All certificates appearing in an X509Data element MUST relate to the
validation key by either containing it or being part of a
certification chain that terminates in a certificate containing the
validation key.
and the example
<KeyInfo>
<!-- ... -->
<X509Data> <!-- certificate chain -->
<!--Signer cert, issuer CN=arbolCA,OU=FVT,O=IBM,C=US, serial 4-->
<X509Certificate>MIICXTCCA..</X509Certificate>
<!-- Intermediate cert subject CN=arbolCA,OU=FVT,O=IBM,C=US
issuer CN=tootiseCA,OU=FVT,O=Bridgepoint,C=US -->
<X509Certificate>MIICPzCCA...</X509Certificate>
<!-- Root cert subject CN=tootiseCA,OU=FVT,O=Bridgepoint,C=US -->
<X509Certificate>MIICSTCCA...</X509Certificate>
</X509Data>
</KeyInfo>
seem to suggest the first structure.
Ari
>Hi all,
>
>how do I represent a chain of certificates? If I have 3 certificates,
>
>
><ds:X509Data>
><ds:X509Certificate>base64ofcert1</ds:X509Certificate>
><ds:X509Certificate>base64ofcert2</ds:X509Certificate>
><ds:X509Certificate>base64ofcert3</ds:X509Certificate>
></ds:X509Data>
>
>
>or (which would make more sense to me):
>
><ds:X509Data>
><ds:X509Certificate>base64ofcert1</ds:X509Certificate>
></ds:X509Data>
><ds:X509Data>
><ds:X509Certificate>base64ofcert2</ds:X509Certificate>
></ds:X509Data>
><ds:X509Data>
><ds:X509Certificate>base64ofcert3</ds:X509Certificate>
></ds:X509Data>
>
>
>
>Regards,
>Christian
>
Received on Tuesday, 22 January 2002 14:55:03 UTC