[xmlsec] X509Data
Richard Salz
rsalz at us.ibm.com
Tue Jul 18 22:16:40 PDT 2006
> "The entire certificate chain of the signer, including the root
> certificate, shall be carried in the KeyInfo element as a sequence of
> X509Data elements. Each of the X509Data elements shall correspond to one
> certificate in the chain, and contain one X509IssuerSerial element and
one
> X509Certificate element. The certificates may appear in any order."
This is valid.
> The research I've done seems to indicate that the entire certificate
chain
> must be in one X509Data element.
This is wrong.
Look at item #1 at http://www.w3.org/TR/xmldsig-core/#sec-X509Data
[these elements] may appear together one or more than once iff
(iff and only if) each instance describes or is related to the
same certificate. ...
All such elements that refer to a particular individual
certificate
MUST be grouped inside a single X509Data element and if the
certificate
to which they refer appears, it MUST also be in that X509Data
element.
The intent is that each X509Data uniquely describes everything known about
a particular cert.
/r$
--
SOA Appliances
Application Integration Middleware
More information about the xmlsec
mailing list