OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

office message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: Digital Signatures


thanks for the comments, one remark / question though:

> We use a X509Data element in our signatures, but that element is also quite flexible.
> In our case, we only ever place the top-level certificate as a X509Certificate element
> into the X509Data, but there are other valid choices to be made.

So that would be the certificate used to sign a document (not the whole certificate chain).
IIRC OpenOffice 3.2 also does this, but I think it is more convenient to include the whole
chain, especially when dealing with very large deployments.

In .be, our ID cards have a signing certificate signed by a "Citizen CA" certificate, and
"Citizen CA"  is signed by the "Belgian Root CA". The cards are valid for 5 years.

Now, to distribute the load of 9 million eID cards (and counting), there are like 100
"Citizen CA's" in use, and a new one is created each month.

So if a signed document only contains the signing certificate and one wants to verify the
chain, one has to have the "correct" Citizen CA certificate installed.

If the document would contain the whole certificate chain, one only has to install the
Belgian Root CA (replaced every 5 years or so)

> It would be helpful if the standard specified which of these choices were required,
> allowed and disallowed.


Best regards


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]