From: Arup Biswas <ABISWAS(_at_)novell(_dot_)com>
One small detail for the WG to resolve, we need to establish a protocol
about the certificates field in the Signed Data message. Do we keep a
single certificate or the chain? Trusted Root Certificate first or last?
Similarly for the CRLs.
I think you should push as many certificates when sending a message
that you think will help the recipient validate your public key.
As for the certificates field, it is a SET OF, not a SEQUENCE OF.
Therefore, there is no meaning to the order of certificates found in there.
In fact, if someone's software is automatically encoding as DER
(as opposed to BER) then the ordering will be strictly according to the
encoded bytes of each certificate - that is, irrelevant of the meaning of
each certificate. The certificates field is therefore an unordered
"bag o' certificates". The same goes for CRLs.
I don't want to get into the argument about the Trusted Root Certificate:
whether it is a self-signed certificate, how it is in fact "trusted". Some
applications also send self-signed certificates for the signer of the message
(not the root) to support non-hierarchical certification schemes so the sender
can
send a certificate for him/herself which is not created by a third party.
But again, the "Trusted Root Certificate" would not come first or last
in the SET OF certificates.