aleksey at aleksey.com
Tue Jul 18 21:36:11 PDT 2006
> The addition of the certificate chain just seems to introduce
> noise into this process, and add unnecessary complication.
This is not quite true... Establishing/defining trust is a very
important part of PKI (and signature verification).
> Sorry, I should have mentioned that the author uses the Apache library.
> He informed me that library would validate the signature if the key
> happened to be in the first X509Data element. (Hence the "get lucky"
> comment). My experience with xmlsec is that the validation fails because
> the chain can't be validated.
Not sure the exact details of apache library behavior... But xmlsec
will not use certificate unless the certificate can be "traced back"
with certificates chain to one of known to the system "trusted"
More information about the xmlsec