[xmlsec] Re: XMLDSig Query

Aleksey Sanin aleksey at aleksey.com
Wed Mar 28 23:20:53 PST 2007 

The certificate is in the xml signature itself. Open the file
and you will see it.

Aleksey

Brian McLaughlin wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Aleksey,
> 
> Thank you for the response. I am aware that the rootcert.pem should be
> used to authenticate that the public key being used acts as a trust
> root, acknowledging that it trusts the signer of the document -
> however, when I run the verify application, I would expect to provide
> both the public key of the sender (to verify that it was indeed signed
> with their private key) and the rootcert.pem, however - if I remove
> the public key from the command line then I cannot understand how the
> signiture can be verified by the receiver if they have not supplied
> the appropriate public key.
> 
> I am pretty good with security knowledge but XML is not a strong point
> of mine so I'm trying to get to grips with this and the example isn't
> quite hitting home yet! :-(
> 
> Thanks again for any help,
> Brian McLaughlin.
> 
> Aleksey Sanin wrote:
> 
>> You are describing the idea of "direct" trust when person A and B
>> have direct contact. If they can *securely* exchange the
>> certificates (i.e. public keys) then everything you describe is
>> working just fine.
>>
>> However, in the real life such direct *secure* communications are
>> not always possible. And this is the reason for having X509 PKI
>> when there is a third person (trusted party) who holds "trusted"
>> root certificate and provides a way to indirectly pass credentials
>> from person A to person B. Thus, signature verification involves
>> not only check for signature validity by itself but also the
>> validity of "trust" to this third person. And this is the reason to
>> pass 'rootcert.pem' in the command line.
>>
>> This is *very* brief description of X509 PKI. Good book on
>> cryptography might give your more explanations and insights on the
>> subject:
>>
>> https://www.aleksey.com/xmlsec/related.html
>>
>> Enjoy,
>>
>> Aleksey
>>
>> Brian McLaughlin wrote:
>>
> 
>> Hi,
>>
>> I am attempting to use XMLsec for signing, verifying and
>> encrypting,decrypting XML documents. I have currently implemented
>> the example 3 for sign and verify and cannot understand the logic
>> of using the rootcert.pem for verifying the signiture.
>>
>> My understanding of the protocol is as follows:
>>
>> Certificate authority issues a private key and a certificate
>> (signed by the certificate authority) to person A Certificate
>> authority issues a private key and a certificate (signed by the
>> certificate authority) to person B
>>
>> When person A wants to communicate with person B, (s)he signs the
>> message with person A's private key. person B then receives the
>> message and verifies that the message was signed by person A by
>> using person A's public key.
>>
>> as a result, I believed the commands in your example should be:
>>
>>
>> ./sign3 sign3-doc.xml rsakey.pem rsacert.pem > sign3-res.xml
>> ./verify3 sign3-res.xml rsacert.pem
>>
>>
>> Can you explain what I am missunderstanding if possible,
>>
>> Thank you in advance, Brian McLaughlin.
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> 
> iD8DBQFGC2g3x+Pka16x9kURAm+9AKCYvRUO/eexF7IwE48PlHVrXA88MQCfecAC
> yqwP99qaj94CzCf6aBxuQEc=
> =t0iM
> -----END PGP SIGNATURE-----
>

More information about the xmlsec mailing list