On 17 June 2011 15:18, Aleksey Sanin <[email protected]> wrote: > Te order of certificates is irrelevant for xml signature standard and xmlsec > does nothing about it.
It does matter. Let me quote my esteemed colleague Paddy: """ The problem, if they are out of order, is knowing which is the end-entity certificate. There is no information to tell you which one it is - at least, there is no information that is *required* to be there. I don't think it is reasonable to expect a validator to try each certificate in turn, to sign the signed info hash, just to see which one correctly generates the signature data. There is a way that you could include the required information in the XML Signature, because you can have an X509SKI or X509IssuerSerial element that does explicitly identify which of the certs is the end-entity cert. But inclusion of that information is optional. """ I assume that `xmlsec1 verify` has some sort of brute force approach when finding the key, though it could be more efficient couldn't it? We at WAC are pushing this as an additional digsig requirement, though I hope you can first accept this as a valid use case. Many thanks Aleksey, _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
