RE: What is the order of certificates in a certificate chain?

[Carlisle Adams <carlisle.adams@xxxxxxxxxxx>]

Hi Chris,

Alex is right:  no order should be assumed.  See, for example, the note
explicitly stating this in the last sentence of Section 3.1.  This lack of
constraint on cert order should be assumed to apply in all similar fields
(e.g., caPubs).  I guess I didn't think this needed to be repeated
throughout the document because people would already be familiar with this
practice from S/MIME (CMS) and elsewhere.

Carlisle.


> ----------
> From: 	Alex Deacon[SMTP:alex@verisign.com]
> Sent: 	Wednesday, April 19, 2000 2:05 PM
> To: 	'Christopher Williams'; PKIX Mailing List
> Subject: 	RE: What is the order of certificates in a certificate
> chain?
> 
> 
> I dont think any order should be assumed.  Your code should handle cert
> chains included in a registration response message a "bag of certs".
> Making assumptions as to the order of certs in structures designed to hold
> cert chains  (i.e. a SEQ of certs, such as the caPubs structure) is
> probably
> a bad idea and will only cause interop problems down the line.
> 
> Alex
> 
> -----Original Message-----
> From: Christopher Williams [mailto:ccwilliams@ntlworld.com]
> Sent: Tuesday, April 18, 2000 8:41 AM
> To: PKIX Mailing List
> Subject: What is the order of certificates in a certificate chain?
> 
> 
> If, for example, a CA provides a certificate chain in an initialization
> response, in which order should it add the certificates?  Its own
> certificate first or root CA certificate first?
> 
> Christopher Williams
> 
> Software engineer, NetLexis Ltd.
> Solutions for secure electronic commerce
> http://www.netlexis.com
>