Yes of course I get a match on "Test User 1" and everything works. The point is "It shouldn't work". When I do not load --trusted-der it should not work, and it does. Meaning "No cert chain checking".
It is impossible for your script to work without loading "Test User 1" into the 'MY' store. In fact the command line utility defaults to 'MY' so you have to put it there. If you are using my signed document it contains <dsig:KeyName>. You said you are not using --enabled-key-data so standard processing in mscrypto will try to find "Test User 1" no matter what. There is nothing tricky about my setup, it passes all your test suite perfectly. I am puzzled at your explanation ? Ed As I wrote, I *did not* use this option in my test. What your results show is exactly what I already explained to you: the key w/o "--enabled-key-data retrieval-method,x509,raw-x509-cert" is searched by key name and you have a match in your MS Crypto store. Aleksey _______________________________________________ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec _______________________________________________ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec