> "The entire certificate chain of the signer, including the root > certificate, shall be carried in the KeyInfo element as a sequence of > X509Data elements. Each of the X509Data elements shall correspond to one > certificate in the chain, and contain one X509IssuerSerial element and one > X509Certificate element. The certificates may appear in any order."
This is valid. > The research I've done seems to indicate that the entire certificate chain > must be in one X509Data element. This is wrong. Look at item #1 at http://www.w3.org/TR/xmldsig-core/#sec-X509Data [these elements] may appear together one or more than once iff (iff and only if) each instance describes or is related to the same certificate. ... All such elements that refer to a particular individual certificate MUST be grouped inside a single X509Data element and if the certificate to which they refer appears, it MUST also be in that X509Data element. The intent is that each X509Data uniquely describes everything known about a particular cert. /r$ -- SOA Appliances Application Integration Middleware _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
