On 4/22/14, 5:08 AM, "David Yu" <[email protected]> wrote:
>Does Santuario check if the certificate is signed by CA before verifying >XML signature? Not generally. >If I use the X509Data(if it is self-signed) from XML to verify the >signature, how do I ensure the XML is sent from the trusted party? By implementing a trust management strategy that fits your scenarios, for example [1]. Every problem domain is different, but in general if you're tempted to just do some hand waving with "a trusted CA", you're oversimplifying the problem. -- Scott [1] https://wiki.shibboleth.net/confluence/display/SHIB2/TrustManagement
