Re: [xmlsec] RE: Need urgent help for verify

[ed.shallow]

Sure, agree. But the KeyName means something specific in the mscrypto world as xmlsec is interpretting it as the MS "friendly" cert name in the crypto store. I would contend that priority should be given to any included X509Certificate when verifying. This is one of the reasons signers attempt to make things as easy as possible for the verifier by including such things. Even CRLs and issuer certs make verification almost totally independent of external dependencies.

 

Does it not make sense to check X509Certificate first ? Or must we consciously remove KeyName to avoid problems in the mscrypto world where the chances of actually having the public verification certificate in the verifiers mscrypto store is remote at best ?

 

Ed    

----- Original Message ----
From: Aleksey Sanin <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc: Jürgen Heiss <[EMAIL PROTECTED]>; xmlsec@aleksey.com
Sent: Wednesday, May 31, 2006 11:54:26 AM
Subject: Re: [xmlsec] RE: Need urgent help for verify

> I would wager, but Alexsey is the expert, that it might be a good idea
> to ignore the KeyName if an X509Certificate is present when Verifying.
> After all the reason it got there in the first place is that it was used
> to select the cert/key when you originally signed it with xmlsec and is
> left over from the sign operation. It will verify fine if you manually
> remove the KeyName. Comments Alexsey ?

Well, when you verify a signature, you have to find a key. If both
KeyName and Certificate are present then you have to try both since
you don't know which one will work....


Aleksey


_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec

_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec