jason marshall wrote:
Maybe I'm misunderstanding the commentary made so far in this bug report.
If KeyInfo is indeed advisory, then how does one establish the
trustworthiness of an enveloped signature?
The relying (validating) party still needs to determine the
trustworthiness of the KeyInfo material, or the key that it used to
validate the signature (does the signing key actually belong to someone
I trust?). For example if KeyInfo contains an X509Certificate then you
shouldn't blindly trust the certificate, you need to determine if you
trust the CA that issued that certificate - for example by building a
chain of certificates from a trust anchor and validating the certificate
chain (checking if certs have not been revoked, etc). XML Signature does
not define how this is done, it is up to the application. However, there
are CertPath APIs in the JDK which already help you do this: see
http://java.sun.com/j2se/1.5.0/docs/guide/security/certpath/CertPathProgGuide.html
for more information.
--Sean
Thanks,
Jason
On 11/7/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
------- Additional Comments From [EMAIL PROTECTED] 2006-11-07 21:18
-------
An enveloped signature omits anything inside the Signature element
apart from
SignedInfo. KeyInfo is not commonly signed. The only attack possible
is against
broken software that doesn't understand that KeyInfo is advisory, not
trusted
information.
--
Configure bugmail:
http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
