Maybe I'm misunderstanding the commentary made so far in this bug report.
If KeyInfo is indeed advisory, then how does one establish the trustworthiness of an enveloped signature? Thanks, Jason On 11/7/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
------- Additional Comments From [EMAIL PROTECTED] 2006-11-07 21:18 ------- An enveloped signature omits anything inside the Signature element apart from SignedInfo. KeyInfo is not commonly signed. The only attack possible is against broken software that doesn't understand that KeyInfo is advisory, not trusted information. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
-- - Jason
