> If I'm verifying the KeyInfo Certificate versus the signature: > > KeyInfo ki = signature.getKeyInfo(); > X509Certificate cert = ki.getX509Certificate(); > > boolean good = signature.checkSignatureValue(cert); > > and verifying that the key is good and is from someone I trust?
Yes, exactly. You don't show that last step in your code, and the reason is that it's incredibly complicated. So you shouldn't be terribly surprised that people don't understand that step or that they omit it. What you're describing is not what I would characterize as "relying" on KeyInfo. It's semantics. > Not all deployments of signatures are going to use a keyring of trusted > parties. In fact any formal use (institutional, enterprise) of > signatures is virtually guaranteed NOT to. Not all deployments can get away with a single static trust list either, but that's by far the most common "solution" to the part of the algorithm you don't show up above. -- Scott
