[xmlsec] X509Data

Richard Salz rsalz at us.ibm.com
Tue Jul 18 22:16:40 PDT 2006

> "The entire certificate chain of the signer, including the root
> certificate, shall be carried in the KeyInfo element as a sequence of
> X509Data elements. Each of the X509Data elements shall correspond to one
> certificate in the chain, and contain one X509IssuerSerial element and 
> X509Certificate element. The certificates may appear in any order."

This is valid.
> The research I've done seems to indicate that the entire certificate 
> must be in one X509Data element.

This is wrong.

Look at item #1 at http://www.w3.org/TR/xmldsig-core/#sec-X509Data
        [these elements] may appear together one or more than once iff
        (iff and only if) each instance describes or is related to the
        same certificate. ...
        All such elements that refer to a particular individual 
        MUST be grouped inside a single X509Data element and if the 
        to which they refer appears, it MUST also be in that X509Data 

The intent is that each X509Data uniquely describes everything known about 
a particular cert.


SOA Appliances
Application Integration Middleware

More information about the xmlsec mailing list