[xmlsec] RE: Need urgent help for verify

[ed.shallow at rogers.com]

Sure, agree. But the KeyName means something specific in the mscrypto world as xmlsec is interpretting it as the MS "friendly" cert name in the crypto store. I would contend that priority should be given to any included X509Certificate when verifying. This is one of the reasons signers attempt to make things as easy as possible for the verifier by including such things. Even CRLs and issuer certs make verification almost totally independent of external dependencies.
 
Does it not make sense to check X509Certificate first ? Or must we consciously remove KeyName to avoid problems in the mscrypto world where the chances of actually having the public verification certificate in the verifiers mscrypto store is remote at best ?
 
Ed    

----- Original Message ----
From: Aleksey Sanin <aleksey at aleksey.com>
To: ed.shallow at rogers.com
Cc: Jürgen Heiss <jheiss at Mesonic.com>; xmlsec at aleksey.com
Sent: Wednesday, May 31, 2006 11:54:26 AM
Subject: Re: [xmlsec] RE: Need urgent help for verify


> I would wager, but Alexsey is the expert, that it might be a good idea 
> to ignore the KeyName if an X509Certificate is present when Verifying. 
> After all the reason it got there in the first place is that it was used 
> to select the cert/key when you originally signed it with xmlsec and is 
> left over from the sign operation. It will verify fine if you manually 
> remove the KeyName. Comments Alexsey ? 

Well, when you verify a signature, you have to find a key. If both
KeyName and Certificate are present then you have to try both since
you don't know which one will work....


Aleksey


_______________________________________________
xmlsec mailing list
xmlsec at aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20060531/4da1781c/attachment-0002.htm