Thank you for the timely review!
Carsten Bormann via Datatracker <noreply@xxxxxxxx> wrote:
> These rules apply when the validation succeeds in a single step as
> well as when certificate chains need to be built.
> The draft uses the term "bag" for what is meant to be a set.
> Maybe stick with the "x5bag" parameter name and the prose "certificate
> bag", but when saying what it is, say that it is a set.
I believe we use the term bag because it is permissible for a certificate
artifact to appear more than once. Stupid maybe, but permissible.
I think that some systems/libaries considered the Issuer/Subject to be the
key for indexing the set, and then they got confused if there was more than
one certificate in the bag. The additional object used a different signature
and/or hash. At least, I have some dim memory of some situation being
described to me. I think that the names of the guilty parties were withheld.
--
Michael Richardson <mcr+IETF@xxxxxxxxxxxx> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
Attachment:
signature.asc
Description: PGP signature
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
