Please check http://roumenpetrov.info/tmp/xmlsec/ for the files. About patch: - please review new methods - they are release candidates; - all other is very early release, even before alpha version ;-).
Ok, I'll take a look later today.
good idea, but "merlin-xmldsig-twenty-three/signature-x509-is.tmpl" has only <X509Data/>, i.e. elements format in X509Data should be specified from command line and/or environment. Of course when template contain "<X509Data><X509SubjectName/></X509Data>" we should use 'sn' when element X509Data type is undefined.
No! If there are no children in <X509Data/> elements then xmlsec should do the same
as it does today: write full cert (see item 1) from my list).
No idea. Yes we can send crl, but when signer (one side) has old CRL and verifier (other side) has new CRL we should care for this (especially when new CRL revoke one of certificates). I think is possible new CRL to be issued before expiration date of old CRL. Some CRLs are too big.
Well, if you have CRLs related to your certs then you probably MUST sent them.
And may be we should have a "don't write crls" flag in xmlSecKeyInfoCtx.
yes. How to specify this from command line ?
Well, suppose you have certs in pkcs12 file. Again, I am not sure I want to do this at all.
It's just a generalization of your suggestion :) And I am investigating options :) May be someone
on the list has a good idea about that :)
Aleksey
_______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
