> The addition of the certificate chain just seems to introduce
> noise into this process, and add unnecessary complication.
This is not quite true... Establishing/defining trust is a very
important part of PKI (and signature verification).
Sorry, I should have mentioned that the author uses the Apache library.
He informed me that library would validate the signature if the key
happened to be in the first X509Data element. (Hence the "get lucky"
comment). My experience with xmlsec is that the validation fails because
the chain can't be validated.
Not sure the exact details of apache library behavior... But xmlsec
will not use certificate unless the certificate can be "traced back"
with certificates chain to one of known to the system "trusted"
certificates.
Aleksey
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
