A basic problem in using certificates (and attribute certificates) from multiple issuers (CAs) is that each may issuer has a different set of extensions (where an extension may be a composite set of attributes). With X.509, there may be an ASN specification of the extension, but I'm not aware of a standard way of obtaining it or interpreting it - is there? I think an important use of XML would be for defining such extensions and attributes in a well-defined way which will allow interoperability amoung multiple certificate issuers and applications using the certificates. For example, our Trust Establishment system provides a pretty easy system for allowing applications to use (x.509 or other) certificates from diverse issuers, some of which may not be known in advance, but presently we assume each certificate has an XML certificate profile associated with it (using a simple schema/DTD we defined). Clearly, to really allow such interoperability in practice, it is desirable that such a certificate/extension/attributes definition would be standardized. BTW, I'm not too happy with our current profiles and therefore, while I'll be happy to post them if people are interested (you can also get them as part of the package if you download), I actually think we need something different. In particular I believe we could have a spec which can reuse the ASN definitions, as well as much of the ASN logic. In particular I've been recently looking into ways to define profile which are compatible with ASN, a particular one seems to be XER, or XML Encoding Rules (for ASN). I wonder if others have been looking into XER or have other ideas on what would be the right way or what are the requirements, to describe such certificate/extension/attributes format. Another BTW, I think this discussion should belong on the new XMLCERT list (archive at http://jcewww.iaik.at/mailarchive/xmlcert/xmlthreads.html). I'm copying this initial note to other relevant lists as xmlcert is very new but I suggest people really interested would follow up there. Best Regards, Amir Herzberg IBM Research Lab in Haifa (Tel Aviv Office) http://www.hrl.il.ibm.com
