- From: Joseph Swaminathan <jswamina@cisco.com>
- Date: Mon, 03 Feb 2003 11:28:54 -0800
- To: w3c-ietf-xmldsig@w3.org
While looking at X509 data element, ($4.4.4 of RFC 3275)
I have the few questions.
The specification says,
"1. At least one element, from the following set of element types; any
of these may appear together or more than once if (if and only if)
each instance describes or is related to the same certificate:
2.
o The X509IssuerSerial element, which contains an X.509 issuer
distinguished name/serial number pair that SHOULD be compliant
with RFC 2253 [LDAP-DN],
o The X509SubjectName element, which contains an X.509 subject
distinguished name that SHOULD be compliant with RFC 2253
[LDAP-DN],
o The X509SKI element, which contains the base64 encoded plain
(i.e., non-DER-encoded) value of a X509 V.3
SubjectKeyIdentifier extension.
o The X509Certificate element, which contains a base64-encoded
[X509v3] certificate, and
o Elements from an external namespace which
accompanies/complements any of the elements above.
o The X509CRL element, which contains a base64-encoded
certificate revocation list (CRL) [X509v3]."
1. When X509 certificate element is present, is there any need
for X509IssuerSerial, X509SubjectName, X509SKI, elements. Is
it possible for all of these to be present. If so, what is
the significance of the later three, as the first one contains
all of them.
2. Also, how is a certificate validated. Is it by
a) comparing byte to byte with a list of acceptable
certificates in the database. If so, then it makes
sense to have 509 certificate as well as IssuerSerial,
SKI etc. Because without a ASN.1 parser, certificates
can be validated.
b) getting the public key of the issuer, and verifying the
signature value, in the certificate.
thanks
Joseph
Received on Monday, 3 February 2003 14:29:26 UTC