rsalz at us.ibm.com
Tue Jul 18 22:16:40 PDT 2006
> "The entire certificate chain of the signer, including the root
> certificate, shall be carried in the KeyInfo element as a sequence of
> X509Data elements. Each of the X509Data elements shall correspond to one
> certificate in the chain, and contain one X509IssuerSerial element and
> X509Certificate element. The certificates may appear in any order."
This is valid.
> The research I've done seems to indicate that the entire certificate
> must be in one X509Data element.
This is wrong.
Look at item #1 at http://www.w3.org/TR/xmldsig-core/#sec-X509Data
[these elements] may appear together one or more than once iff
(iff and only if) each instance describes or is related to the
same certificate. ...
All such elements that refer to a particular individual
MUST be grouped inside a single X509Data element and if the
to which they refer appears, it MUST also be in that X509Data
The intent is that each X509Data uniquely describes everything known about
a particular cert.
Application Integration Middleware
More information about the xmlsec