The certificate is in the xml signature itself. Open the file
and you will see it.
Aleksey
Brian McLaughlin wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Aleksey,
Thank you for the response. I am aware that the rootcert.pem should be
used to authenticate that the public key being used acts as a trust
root, acknowledging that it trusts the signer of the document -
however, when I run the verify application, I would expect to provide
both the public key of the sender (to verify that it was indeed signed
with their private key) and the rootcert.pem, however - if I remove
the public key from the command line then I cannot understand how the
signiture can be verified by the receiver if they have not supplied
the appropriate public key.
I am pretty good with security knowledge but XML is not a strong point
of mine so I'm trying to get to grips with this and the example isn't
quite hitting home yet! :-(
Thanks again for any help,
Brian McLaughlin.
Aleksey Sanin wrote:
You are describing the idea of "direct" trust when person A and B
have direct contact. If they can *securely* exchange the
certificates (i.e. public keys) then everything you describe is
working just fine.
However, in the real life such direct *secure* communications are
not always possible. And this is the reason for having X509 PKI
when there is a third person (trusted party) who holds "trusted"
root certificate and provides a way to indirectly pass credentials
from person A to person B. Thus, signature verification involves
not only check for signature validity by itself but also the
validity of "trust" to this third person. And this is the reason to
pass 'rootcert.pem' in the command line.
This is *very* brief description of X509 PKI. Good book on
cryptography might give your more explanations and insights on the
subject:
https://www.aleksey.com/xmlsec/related.html
Enjoy,
Aleksey
Brian McLaughlin wrote:
Hi,
I am attempting to use XMLsec for signing, verifying and
encrypting,decrypting XML documents. I have currently implemented
the example 3 for sign and verify and cannot understand the logic
of using the rootcert.pem for verifying the signiture.
My understanding of the protocol is as follows:
Certificate authority issues a private key and a certificate
(signed by the certificate authority) to person A Certificate
authority issues a private key and a certificate (signed by the
certificate authority) to person B
When person A wants to communicate with person B, (s)he signs the
message with person A's private key. person B then receives the
message and verifies that the message was signed by person A by
using person A's public key.
as a result, I believed the commands in your example should be:
./sign3 sign3-doc.xml rsakey.pem rsacert.pem > sign3-res.xml
./verify3 sign3-res.xml rsacert.pem
Can you explain what I am missunderstanding if possible,
Thank you in advance, Brian McLaughlin.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFGC2g3x+Pka16x9kURAm+9AKCYvRUO/eexF7IwE48PlHVrXA88MQCfecAC
yqwP99qaj94CzCf6aBxuQEc=
=t0iM
-----END PGP SIGNATURE-----
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
