santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From -Fab- <>
Subject Re: X509Data vs CertificateValues
Date Tue, 19 May 2009 08:13:58 GMT

I first sent an e-mail to Juan Carlos Cruellas to ask him, but I didn't
receive an answer yet.
I also posted this question on Sun's forums, hoping that someone who had
used the Java API to implement XadES would share their take on this matter,
to no avail yet.

They told me to try on a forum dedicated to XML security, that's why I made 
this post here.


Sean Mullan wrote:
> Have you asked any of the folks who worked on Xades? They should be better
> able 
> to explain the motivation behind the design.
> --Sean
> -Fab- wrote:
>> Hello,
>> I've tried to find the answer to my question using the search feature,
>> but
>> was unsuccessful.
>> If it is already answered, please feel free to just point me to the
>> answer.
>> I am currently studying how to implement XadES XL for detached signatures
>> over XML documents.
>> I've been doing some research: I read the XMLDSIG specification, the
>> XadES
>> specification, and I've
>> been wondering something:
>> -in the XMLDSIG specification, it is clearly stated that the X509Data
>> element can contain a full
>> certification chain, in the form of a series of X509Certificate elements.
>> There's even an example:
>> <X509Data> <!-- certificate chain -->
>>        <!--Signer cert, issuer CN=arbolCA,OU=FVT,O=IBM,C=US, serial 4-->
>>        <X509Certificate>MIICXTCCA..</X509Certificate>
>>        <!-- Intermediate cert subject CN=arbolCA,OU=FVT,O=IBM,C=US 
>>             issuer CN=tootiseCA,OU=FVT,O=Bridgepoint,C=US -->
>>        <X509Certificate>MIICPzCCA...</X509Certificate>
>>        <!-- Root cert subject CN=tootiseCA,OU=FVT,O=Bridgepoint,C=US -->
>>        <X509Certificate>MIICSTCCA...</X509Certificate>
>> </X509Data>
>> -in the XadES specification, it is said that any certificate of which the
>> data is already contained
>> within the KeyInfo element does NOT need to be present in the
>> CertificateValues element:
>> "
>> In principle, the CertificateValues element contains the full set of
>> certificates that have been used to validate the electronic signature,
>> including the signer's certificate. However, it is not necessary to
>> include
>> one of those certificates into this property, if the certificate is
>> already
>> present in the ds:KeyInfo element of the signature.
>> "
>> So, it follows logically that when the X509Data contains the full
>> certification chain,
>> the CertificateValues element becomes either empty, or redundant, and
>> thus
>> worthless.
>> Isn't this some sort of a clash between the specifications?
>> I find it a bit confusing to have the CertificateValues element in case
>> there lacks some
>> information inside the X509Data, because it means that when validating
>> you
>> have first
>> to check if there's everything you need in the X509Data:
>> if no :
>> you must determine what is missing and put it in the CertificateValues
>> element
>> if yes:
>> you don't need the CertificateValues element at all.
>> I think it would have been simpler to impose a particular behavior from
>> one
>> of these two:
>> -put the full certification chain in the X509Data
>> or
>> -put only the signing certificate in the X509Data
>> That way when validating you would know exactly what to expect and what
>> to
>> do.
>> Now this is only my feeling and I'm still quite new to digital
>> signatures,
>> so may be
>> I've missed some points.
>> Is there something I didn't understand in the specifications? Are my
>> interpretations
>> correct?
>> What should I do in my implementation?
>> Regards,
>> Fab 
>> PS:I'm using JSR 105 with JDK 1.5

View this message in context:
Sent from the Apache XML - Security - Dev mailing list archive at

View raw message