Please show me the order requirement in the XML Signature spec :)
BTW, X509SKI and X509IssuerSerial *do not* point to the signature cert
either.
Aleksey
On 6/17/11 10:07 AM, Kai Hendry wrote:
On 17 June 2011 15:18, Aleksey Sanin<[email protected]> wrote:
Te order of certificates is irrelevant for xml signature standard and xmlsec
does nothing about it.
It does matter. Let me quote my esteemed colleague Paddy:
"""
The problem, if they are out of order, is knowing which is the
end-entity certificate. There is no information to tell you which one
it is - at least, there is no information that is *required* to be
there. I don't think it is reasonable to expect a validator to try
each certificate in turn, to sign the signed info hash, just to see
which one correctly generates the signature data.
There is a way that you could include the required information in the
XML Signature, because you can have an X509SKI or X509IssuerSerial
element that does explicitly identify which of the certs is the
end-entity cert. But inclusion of that information is optional.
"""
I assume that `xmlsec1 verify` has some sort of brute force approach
when finding the key, though it could be more efficient couldn't it?
We at WAC are pushing this as an additional digsig requirement, though
I hope you can first accept this as a valid use case.
Many thanks Aleksey,
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
