>> "The entire certificate chain of the signer, including the root >> certificate, shall be carried in the KeyInfo element as a sequence of >> X509Data elements. Each of the X509Data elements shall correspond to one >> certificate in the chain, and contain one X509IssuerSerial element and > one >> X509Certificate element. The certificates may appear in any order." > > This is valid. As written, I'm not sure it's valid, I'll try to explain my reasoning as we trade quotes below :)
> >> The research I've done seems to indicate that the entire certificate > chain >> must be in one X509Data element. > > This is wrong. > > Look at item #1 at http://www.w3.org/TR/xmldsig-core/#sec-X509Data > [these elements] may appear together one or more than once iff > (iff and only if) each instance describes or is related to the > same certificate. ... > All such elements that refer to a particular individual > certificate > MUST be grouped inside a single X509Data element and if the > certificate > to which they refer appears, it MUST also be in that X509Data > element. > You've trimmed the first sentence of the paragraph that has the sentence "All such elements . . . ", I think it's important because I think it has the elements referred to: "Any X509IssuerSerial, X509SKI, and X509SubjectName elements that appear MUST refer to the certificate or certificates containing the validation key. All such elements . . ." Now, the spec I have to deal with requires that one X509IssuerSerial element and one X509Certificate element (for each link in the chain) appear in separate X509Data elements. I think the intent for my spec was to have the X509IssuerSerial element be for a particular link in the chain. This is precluded by the above quote I think. Otherwise then, you have identical copies of in each X509Data element. Assuming that we have a single chain that terminates in a certificate that can validate the signature, I believe that the copies are precluded by the second sentence ("All such elements . . ."). So, my spec as written conflicts with the digital signature spec because an X509Data element cannot contain a just a single X509IssuerSerial element and a single X509Certificate element. It seems to me that the only X509Data element that can meet that requirement is the one that contains the certificate that has the validation key. However, I had thought that convinced myself that these constraints together boxed in the requirement that the entire chain need be in the X509Data element, but I'm not sure now. Strictly speaking I don't see anything that says an entire chain must be included, only part of a chain, if that. So perhaps the rest of the chain can appear in separate X509Data tags if the X509Certificate element is the only thing in it? Thanks, Jason > The intent is that each X509Data uniquely describes everything known about > a particular cert. > > /r$ > > -- > SOA Appliances > Application Integration Middleware > > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
