ordering of multiple X509Certificates


I have a query about the case where multiple X509Certificate elements are
sent with a signature.  I couldn't find any information in the spec
concerning the order that they should be sent in, and I couldn't find any
mention of this in the mailing list archive.  I imagine this is intentional
left out of the spec as it does not require any KeyInfo and leaves all this
up to the application level.

I would expect that when multiple certificates are sent, they should be sent
as a chain (same as how an ssl server must send certifictes - rfc 2246),
with the sender's cert coming first and each following cert directly
certifying the one before it.

Does the spec actually mention anything about this, or does anyone else have
any thoughts?



Received on Thursday, 7 March 2002 19:54:50 UTC