Yes I see what you are saying now. In my environment the store is called "other people".
So from a recipient as a verifier 'MY' signing cert would be in his "Other People" store. However if the cert is in 'MY' as opposed to 'OtherPeople' it should still work. There are 2 concerns here: 1) the verifier may have to check multiple stores to find the signer's cert 2) why does the cert even have to be in "any" store if it is already contained in the signed document ? In the case of OpenSSL all you need to verify the trust chain is the issuer or issuers certs loaded into the KeysMngr. This makes sense. In mscrypto, why can't we start the chain search from the signer's issuer extracted from the cert in the signed document, and not from the signer itself ? There will be many situations where the recipient does not have the signer's public cert in their store. Ed -----Original Message----- From: Dmitry Belyavsky [mailto:[EMAIL PROTECTED] Sent: January 11, 2006 11:51 AM To: Edward Shallow Cc: [email protected] Subject: RE: [xmlsec] Verify - OpenSSL vs mscrypto Greetings! On Wed, 11 Jan 2006, Edward Shallow wrote: > > Dmitry wrote ... > > > > Edward, when you verify the signature using your own certs ('MY' > > cert storage), the library doesn't verify chain using my patch. To > > see my patch really works you need to verify the signature from the > > other user's account with signer's CA cert and CRL installed. > I do not know what you mean by "the other user's account". All > personal certificates used by an individual are installed in the default 'MY' store. > At verification time, the starting point for the get certificate chain > processing is from the cert context of the signer's cert no matter who > does that verification. In fact the signer's cert should not have to > be in the verifier's store at verify time. The first certificate to > chase in the chain should be the immediate issuer's certificate etc > ... What does "other user's account" mean ? I mean the signature is verified more often with the user differing from the signer. So sender's certs are not placed in "MY" store. In my copy of windows the store is known as "Trusted users", though my collegues say it's correct name is "Addressbook". -- SY, Dmitry Belyavsky (ICQ UIN 11116575) _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
