[xmlsec] core methods for write of <X509SubjectName/> and <X509IssuerSerial/>

Aleksey Sanin aleksey at aleksey.com
Fri Jul 18 07:10:16 PDT 2003

> Please check http://roumenpetrov.info/tmp/xmlsec/ for the files.
> About patch:
> - please review new methods - they are release candidates;
> - all other is very early release, even before alpha version ;-).

Ok, I'll take a look later today.

> good idea, but "merlin-xmldsig-twenty-three/signature-x509-is.tmpl" 
> has only <X509Data/>, i.e. elements format in X509Data should be 
> specified from command line and/or environment. Of course when 
> template contain "<X509Data><X509SubjectName/></X509Data>"  we should 
> use 'sn' when element X509Data type is undefined.

No! If there are no children in <X509Data/> elements then xmlsec should 
do the same
as it does today: write full cert (see item 1) from my list).

> No idea. Yes we can send crl, but when signer (one side) has old CRL 
> and verifier (other side) has new CRL we should care for this 
> (especially when new CRL revoke one of certificates). I think is 
> possible new CRL to be issued before expiration date of old CRL. Some 
> CRLs are too big.

Well, if you have CRLs related to your certs then you probably MUST sent 
And may be we should have a "don't write crls" flag in xmlSecKeyInfoCtx.

> yes. How to specify this from command line ?

Well, suppose you have certs in pkcs12 file. Again, I am not sure I want 
to do this at all.
It's just a generalization of your suggestion :) And I am investigating 
options :) May be someone
on the list has a good idea about that :)


More information about the xmlsec mailing list