Creating XML Records

This additional integration describes the XML syntax for certificate revocation records. You do not have to review or use this section unless you are creating a system that will be the source of data for a Smart Data Bridge.

‘attribute-change’

A single attribute-change element is the outer container for a single privilege message.

‘attribute-section’

One or more attribute-section elements are contained within the attribute-change. Each attribute-section contains a set of certificates.

Contents of ‘attribute-section’

An attribute-section may contain one or more certificate or cert-identifier or identifier elements. An attribute-section can not mix certificate, cert-identifier and identifier elements.

‘certificate’

Each certificate contains a PEM-formatted certificate, omitting surrounding text such as "-----BEGIN CERTIFICATE-----".

Line breaks are not required in the PEM data, but may be present; whitespace will be stripped. The specified certificate will be registered if it is not already.

‘cert-identifier’

One or more cert-identifier elements are contained at the beginning of each attribute-section. A cert-identifier identifies a certificate with an issuer-name and an id.

‘identifier’

An identifier specifies a non X.509 credential. An identifier has two required attributes, id and issuer-name, that uniquely identify the non X.509 credential.

Status Attributes

certificate, cert-identifier and identifier elements may have attributes specifying a change in revocation status.

The optional reason-code specifies the value (0 to 9 as defined in RFC standard) and each value represents a reason for the revocation of the specified certificate(s).

In the below example, the reason code is 1 which means KeyCompromise.

<attribute-section>

<certificate reason-code="1" revocation-date="2006-

07-17T23:20:50.05Z">

The optional revocation-date specifies the revocation time of the specified certificate(s).

reason-code cannot be specified without including a revocation-date.

If the reason-code is removeFromCRL and the certificate was previously suspended, the certificate will be unsuspended; otherwise the specified certificate is revoked.

Simple Privilege Message Example

This is an example of a privilege message that sets the status of a certificate.

<?xml version="1.0" encoding="UTF-8"?>

<attribute-change>

<attribute-section>

<certificate reason-code="1" revocation-date="2006-

07-17T23:20:50.05Z">

...PEM data...

</certificate>

</attribute-section>

 

</attribute-change>

This is an example of a privilege message that loads the certificate to the VA database.

<?xml version="1.0" encoding="UTF-8"?>

<attribute-change>

 

<attribute-section>

<certificate>

...PEM data...

</certificate>

</attribute-section>

 

</attribute-change>