[xmlsec] X509Certificate ordering

Aleksey Sanin aleksey at aleksey.com
Fri Jun 17 10:10:31 PDT 2011


Please show me the order requirement in the XML Signature spec :)

BTW, X509SKI and X509IssuerSerial *do not* point to the signature cert 
either.

Aleksey


On 6/17/11 10:07 AM, Kai Hendry wrote:
> On 17 June 2011 15:18, Aleksey Sanin<aleksey at aleksey.com>  wrote:
>> Te order of certificates is irrelevant for xml signature standard and xmlsec
>> does nothing about it.
>
> It does matter. Let me quote my esteemed colleague Paddy:
>
> """
> The problem, if they are out of order, is knowing which is the
> end-entity certificate. There is no information to tell you which one
> it is - at least, there is no information that is *required* to be
> there. I don't think it is reasonable to expect a validator to try
> each certificate in turn, to sign the signed info hash, just to see
> which one correctly generates the signature data.
>
> There is a way that you could include the required information in the
> XML Signature, because you can have an X509SKI or X509IssuerSerial
> element that does explicitly identify which of the certs is the
> end-entity cert. But inclusion of that information is optional.
> """
>
> I assume that `xmlsec1 verify` has some sort of brute force approach
> when finding the key, though it could be more efficient couldn't it?
>
> We at WAC are pushing this as an additional digsig requirement, though
> I hope you can first accept this as a valid use case.
>
>
> Many thanks Aleksey,


More information about the xmlsec mailing list