> I'm working on signing an XML document using a X509 certificate. As > part of the signing process, I am appending DSIGKeyInfoX509 information > in the signature (by calling appendX509Data on the DSIGSignature > object). Once that is there, I am manually adding the name of the > certificate, and then using that name to find the certificate when > verifying.
Name meaning...? There aren't really any names that unambiguously work in the absence of a specific context. DNs are useless as there is no global PKI, so names are always relative to a deployment scenario. > Is there a standard as to what types of information should be stored there? No. Embedding certificates is far and away the most common approach. > And once the data is stored, is there an automated way of > loading the certificate based on the data? Most libraries provide some kind of key resolution mechanism. This one includes a KeyResolver abstraction that returns a key based on a KeyInfo object, and supports a couple of basic types when the key is inside the XML. This is useless for real applications, since it just verifies the signature with a key that is self-evident, but doesn't authenticate the message. My OpenSAML project includes a ton of additional code around resolving KeyInfo material into credentials and applying trust mechanisms. It's extremely complex territory and there are no specs to follow. Shortcuts and laziness abounds. -- Scott
