You are describing the idea of "direct" trust when person A and B have direct contact. If they can *securely* exchange the certificates (i.e. public keys) then everything you describe is working just fine.
However, in the real life such direct *secure* communications are not always possible. And this is the reason for having X509 PKI when there is a third person (trusted party) who holds "trusted" root certificate and provides a way to indirectly pass credentials from person A to person B. Thus, signature verification involves not only check for signature validity by itself but also the validity of "trust" to this third person. And this is the reason to pass 'rootcert.pem' in the command line. This is *very* brief description of X509 PKI. Good book on cryptography might give your more explanations and insights on the subject: https://www.aleksey.com/xmlsec/related.html Enjoy, Aleksey Brian McLaughlin wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I am attempting to use XMLsec for signing, verifying and encrypting,decrypting XML documents. I have currently implemented the example 3 for sign and verify and cannot understand the logic of using the rootcert.pem for verifying the signiture. My understanding of the protocol is as follows: Certificate authority issues a private key and a certificate (signed by the certificate authority) to person A Certificate authority issues a private key and a certificate (signed by the certificate authority) to person B When person A wants to communicate with person B, (s)he signs the message with person A's private key. person B then receives the message and verifies that the message was signed by person A by using person A's public key. as a result, I believed the commands in your example should be: ./sign3 sign3-doc.xml rsakey.pem rsacert.pem > sign3-res.xml ./verify3 sign3-res.xml rsacert.pem Can you explain what I am missunderstanding if possible, Thank you in advance, Brian McLaughlin. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGCnsSx+Pka16x9kURArGeAJ9QKWlegAfr3cDy9obF6qRREaKThQCfUijv Jns1x+HZPYT8eRJ3nDBeJyM= =+6qV -----END PGP SIGNATURE-----
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
