[xmlsec] Re: GOST support in xmlsec

Amiler Scumba amiler_scumba at hotmail.com
Tue Feb 14 12:54:04 PST 2006

>>>Hm... Any particular reason for this? It seems to me that if you have
>>>trusted certs then you need to use *all* of them. Plus I am a little
>>>bit afraid that this might screw existing applications.
>>It seems to me there is almost no reason to avoid installing trusted
>>certs and corresponding CRLs to the system storage. So user can either
>>provide the chain passing all necessary certs manually or suppose the
>>root cert (or 1st some certs) are already present in the system.
>>Unfortunately, we didn't found a way to add trusted certs to system
>>store during cert chain verification.
>Exactly! So why not to keep the existing logic:
>- check the "current" trusted certs from the KeyManager (kind of session
>   trusted certs)
>- then check the system trusted certs
>I am not sure I like the idea of excluding system certs all together. It
>does not sound right to me.


There are scenarios when you do not want to use the system store. For 
example: an application might use different digital signature policies for 
different kind of documents. The signature policiy should specify which 
certs are trusted. We would like to avoid scenario when a system 
administraotr might accidently change the behaviour of one of the 
applications running on the system by acidentally installing a nes trusted 
certificate into a system store.

On the other hand, I agree, that the patch should not change the existing 
behaviour and thus break the existing applications.

My opinion is that Xmlsec need more flexible support for tuning the chain 
building process. Currently I am finding my way aroud the source code trying 
to understand what it currently does and what it does not do. I hope, I will 
be able to contribute soon ;-)


>>Unfortunately, we didn't found a way to add trusted certs to system
>>store during cert chain verification.

You can add the trusted certs to system store through CrotoAPI. However, I 
would advice against it, becaue this (temporarily) changes the global state 
of the system and might have side affects on other applications (see above). 
You can specify additional stores when building the chain with 
CertGetCertificateChain (I thing you are already doing this).


Express yourself instantly with MSN Messenger! Download today it's FREE! 

More information about the xmlsec mailing list