[xmlsec] Verify - OpenSSL vs mscrypto

Dmitry Belyavsky beldmit at cryptocom.ru
Wed Jan 11 08:51:13 PST 2006


On Wed, 11 Jan 2006, Edward Shallow wrote:

> > Dmitry wrote ...
> >
> > Edward, when you verify the signature using your own certs ('MY' cert
> > storage), the library doesn't verify chain using my patch. To see my patch
> > really works you need to verify the signature from the other user's account
> > with signer's CA cert and CRL installed.

> I do not know what you mean by "the other user's account". All personal
> certificates used by an individual are installed in the default 'MY' store.
> At verification time, the starting point for the get certificate chain
> processing is from the cert context of the signer's cert no matter who does
> that verification. In fact the signer's cert should not have to be in the
> verifier's store at verify time. The first certificate to chase in the chain
> should be the immediate issuer's certificate etc ... What does "other user's
> account" mean ?

I mean the signature is verified more often with the user differing from
the signer. So sender's certs are not placed in "MY" store. In my copy
of windows the store is known as "Trusted users", though my collegues
say it's correct name is "Addressbook".

SY, Dmitry Belyavsky (ICQ UIN 11116575)

More information about the xmlsec mailing list