jdale at fhrd.net
Wed Jul 19 13:12:37 PDT 2006
>> "The entire certificate chain of the signer, including the root
>> certificate, shall be carried in the KeyInfo element as a sequence of
>> X509Data elements. Each of the X509Data elements shall correspond to one
>> certificate in the chain, and contain one X509IssuerSerial element and
>> X509Certificate element. The certificates may appear in any order."
> This is valid.
As written, I'm not sure it's valid, I'll try to explain my reasoning as
we trade quotes below :)
>> The research I've done seems to indicate that the entire certificate
>> must be in one X509Data element.
> This is wrong.
> Look at item #1 at http://www.w3.org/TR/xmldsig-core/#sec-X509Data
> [these elements] may appear together one or more than once iff
> (iff and only if) each instance describes or is related to the
> same certificate. ...
> All such elements that refer to a particular individual
> MUST be grouped inside a single X509Data element and if the
> to which they refer appears, it MUST also be in that X509Data
You've trimmed the first sentence of the paragraph that has the sentence
"All such elements . . . ", I think it's important because I think it has
the elements referred to:
"Any X509IssuerSerial, X509SKI, and X509SubjectName elements that appear
MUST refer to the certificate or certificates containing the validation
key. All such elements . . ."
Now, the spec I have to deal with requires that one X509IssuerSerial
element and one X509Certificate element (for each link in the chain)
appear in separate X509Data elements. I think the intent for my spec was
to have the X509IssuerSerial element be for a particular link in the
chain. This is precluded by the above quote I think. Otherwise then, you
have identical copies of in each X509Data element. Assuming that we have
a single chain that terminates in a certificate that can validate the
signature, I believe that the copies are precluded by the second sentence
("All such elements . . .").
So, my spec as written conflicts with the digital signature spec because
an X509Data element cannot contain a just a single X509IssuerSerial
element and a single X509Certificate element. It seems to me that the
only X509Data element that can meet that requirement is the one that
contains the certificate that has the validation key.
However, I had thought that convinced myself that these constraints
together boxed in the requirement that the entire chain need be in the
X509Data element, but I'm not sure now. Strictly speaking I don't see
anything that says an entire chain must be included, only part of a chain,
if that. So perhaps the rest of the chain can appear in separate X509Data
tags if the X509Certificate element is the only thing in it?
> The intent is that each X509Data uniquely describes everything known about
> a particular cert.
> SOA Appliances
> Application Integration Middleware
More information about the xmlsec