Hm... Any particular reason for this? It seems to me that if you have
trusted certs then you need to use *all* of them. Plus I am a little
bit afraid that this might screw existing applications.
It seems to me there is almost no reason to avoid installing trusted
certs and corresponding CRLs to the system storage. So user can either
provide the chain passing all necessary certs manually or suppose the
root cert (or 1st some certs) are already present in the system.
Unfortunately, we didn't found a way to add trusted certs to system
store during cert chain verification.
Exactly! So why not to keep the existing logic:
- check the "current" trusted certs from the KeyManager (kind of session
trusted certs)
- then check the system trusted certs
I am not sure I like the idea of excluding system certs all together. It
does not sound right to me.
Aleksey,
There are scenarios when you do not want to use the system store. For
example: an application might use different digital signature policies for
different kind of documents. The signature policiy should specify which
certs are trusted. We would like to avoid scenario when a system
administraotr might accidently change the behaviour of one of the
applications running on the system by acidentally installing a nes trusted
certificate into a system store.
On the other hand, I agree, that the patch should not change the existing
behaviour and thus break the existing applications.
My opinion is that Xmlsec need more flexible support for tuning the chain
building process. Currently I am finding my way aroud the source code trying
to understand what it currently does and what it does not do. I hope, I will
be able to contribute soon ;-)
Dmitry,
Unfortunately, we didn't found a way to add trusted certs to system
store during cert chain verification.
You can add the trusted certs to system store through CrotoAPI. However, I
would advice against it, becaue this (temporarily) changes the global state
of the system and might have side affects on other applications (see above).
You can specify additional stores when building the chain with
CertGetCertificateChain (I thing you are already doing this).
Bye,
Amiler
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
