Hello, I've been charged with parsing an XML document that has been digitally signed. So far the xmlsec library has been quite useful. Unfortunately, I've come across a clause in my spec that seems to befuddle the library. I believe it's because of how the spec is written doesn't match how the XML Digital Signature spec is written. The author of my spec disagrees, of course, and claims that his reading is valid, and that libraries assume things and get lucky.
The offending clause in my spec: "The entire certificate chain of the signer, including the root certificate, shall be carried in the KeyInfo element as a sequence of X509Data elements. Each of the X509Data elements shall correspond to one certificate in the chain, and contain one X509IssuerSerial element and one X509Certificate element. The certificates may appear in any order." The research I've done seems to indicate that the entire certificate chain must be in one X509Data element. Unfortunately I've not been able to get a definitive statement from the XML Digital Signature page that says that. While researching this email, I just noticed the bit about the X509IssuerSerial, and I know that has quite definite constraints, so I may be able to use it as leverage, but it may not matter in the end. I have a couple of questions then. Suppose I am unable to convince the author that his version is incorrect, and I have to work under those constraints. How would you go about it? I have a few ideas, but I would appreciate the advice. Second, a more philosophical question I suppose. How much of a fight should I put up on this? Or am I completely mistaken in my assessment? Thank you for your time. Jason _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
