On 11/8/06, Sean Mullan <[EMAIL PROTECTED]> wrote:
jason marshall wrote:
> Maybe I'm misunderstanding the commentary made so far in this bug report.
>
> If KeyInfo is indeed advisory, then how does one establish the
> trustworthiness of an enveloped signature?
The relying (validating) party still needs to determine the
trustworthiness of the KeyInfo material, or the key that it used to
validate the signature (does the signing key actually belong to someone
I trust?). For example if KeyInfo contains an X509Certificate then you
shouldn't blindly trust the certificate, you need to determine if you
trust the CA that issued that certificate - for example by building a
chain of certificates from a trust anchor and validating the certificate
chain (checking if certs have not been revoked, etc). XML Signature does
not define how this is done, it is up to the application. However, there
are CertPath APIs in the JDK which already help you do this: see
http://java.sun.com/j2se/1.5.0/docs/guide/security/certpath/CertPathProgGuide.html
for more information.
Yes, of course. My question is, if the KeyInfo in a valid signature
can be changed without failing the signature check, then what good
does it do me to check the chain of trust on the KeyInfo?
I presume this behavior is implemented as specced by the W3C. I'm
just wondering what the solution was to this problem if the above
isn't actually sufficient.
-Jason
--Sean
>
> Thanks,
> Jason
>
> On 11/7/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>> ------- Additional Comments From [EMAIL PROTECTED] 2006-11-07 21:18
>> -------
>> An enveloped signature omits anything inside the Signature element
>> apart from
>> SignedInfo. KeyInfo is not commonly signed. The only attack possible
>> is against
>> broken software that doesn't understand that KeyInfo is advisory, not
>> trusted
>> information.
>>
>>
>> --
>> Configure bugmail:
>> http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
>> ------- You are receiving this mail because: -------
>> You are the assignee for the bug, or are watching the assignee.
>>
>
>
--
- Jason
