On 8/1/07, Scott Cantor <[EMAIL PROTECTED]> wrote:
>
> This is the second most common omission in signature verification, checking
> what was signed. (The most common is relying on KeyInfo as trusted
> information.)
>
I suspect I have asked this question before, but what exactly is the
problem with relying on the KeyInfo?
If I'm verifying the KeyInfo Certificate versus the signature:
KeyInfo ki = signature.getKeyInfo();
X509Certificate cert = ki.getX509Certificate();
boolean good = signature.checkSignatureValue(cert);
and verifying that the key is good and is from someone I trust? Not
all deployments of signatures are going to use a keyring of trusted
parties. In fact any formal use (institutional, enterprise) of
signatures is virtually guaranteed NOT to.
--
- Jason
