[xmlsec] core methods for write of <X509SubjectName/> and <X509IssuerSerial/>
Aleksey Sanin
aleksey at aleksey.com
Fri Jul 18 07:10:16 PDT 2003
> Please check http://roumenpetrov.info/tmp/xmlsec/ for the files.
> About patch:
> - please review new methods - they are release candidates;
> - all other is very early release, even before alpha version ;-).
Ok, I'll take a look later today.
> good idea, but "merlin-xmldsig-twenty-three/signature-x509-is.tmpl"
> has only <X509Data/>, i.e. elements format in X509Data should be
> specified from command line and/or environment. Of course when
> template contain "<X509Data><X509SubjectName/></X509Data>" we should
> use 'sn' when element X509Data type is undefined.
No! If there are no children in <X509Data/> elements then xmlsec should
do the same
as it does today: write full cert (see item 1) from my list).
> No idea. Yes we can send crl, but when signer (one side) has old CRL
> and verifier (other side) has new CRL we should care for this
> (especially when new CRL revoke one of certificates). I think is
> possible new CRL to be issued before expiration date of old CRL. Some
> CRLs are too big.
Well, if you have CRLs related to your certs then you probably MUST sent
them.
And may be we should have a "don't write crls" flag in xmlSecKeyInfoCtx.
> yes. How to specify this from command line ?
Well, suppose you have certs in pkcs12 file. Again, I am not sure I want
to do this at all.
It's just a generalization of your suggestion :) And I am investigating
options :) May be someone
on the list has a good idea about that :)
Aleksey
More information about the xmlsec
mailing list