[xmlsec] Including X509 cert chain in Signature

David Allen d.allen at qub.ac.uk
Thu Feb 7 14:09:17 PST 2008


Aleksky
I really should have thought a bit harder before posting my query - my only defence is that I was tired and it was VERY late. I take your point about forcing inclusion of the root certificate but what about intermediate certificates? While they are necessary to establish trust, they are not by themselves (i.e. without the root cert) **sufficient** to establish trust.
As regards my second question - I asked because I was puzzled as to why my test signature was verifying OK in the apparent absence of the root certificate! It was only after you replied that I realised that the root certificate was NOT absent (the signing and the verification were happening on the same (windows) machine so the root certificate WAS most certainly available!) so everything was working exactly as it should!

Thanks for your patience - and for a very effective library!
David Allen

-----Original Message-----
From: Aleksey Sanin [mailto:aleksey at aleksey.com]
Sent: 15 January 2008 03:11
To: David Allen
Cc: xmlsec at aleksey.com
Subject: Re: [xmlsec] Including X509 cert chain in Signature

> 1/ How do I force inclusion of the root certificate?
You don't want to. Root certificate (trusted certificate) establishes "trust" and it should be communicated to the verifier by the outside trusted channel.

> 2/ Should the signature verify in the absence of the root certificate?
No. See above.

You might want to read a book on PKI/certificates.

Aleksey




More information about the xmlsec mailing list