Jim,
I agree with your original proposal which was: "Signing-certficate attribute
value has the ASN.1 type IssuerAndSerialNumber." I agree with Blake that
carrying the IssuerAndSerialNumber for each issuer cert in the signer's cert
path is not needed. Furthermore, once the app has obtained the signer's
cert, then the issuer name and authorityKeyIdentifier extension, if present,
in the signer's cert can be used to identify the CA cert. If the
authorityKeyIdentifier extension is not present in the signer's cert and
there are multiple CA certs with the same subject DN, then the app will have
to use the trial and error method described by Blake.
In your reply to my message you said: "Specifically there is nothing that
prevents a CA from issing a new certificate with the same serial number and
issuer name, but different extensions." I respectfully disagree with this
statement, because X.509, verse 3.3.24, defines serial number as follows:
"certificate serial number: An integer value, unique within the issuing CA,
which is unambiguously associated with a certificate issued by that CA."
================================
John Pawling
jsp(_at_)jgvandyke(_dot_)com
J.G. Van Dyke & Associates, Inc.
================================