[xmlsec] Issues using xmlsec for SAML

Ed Shallow ed.shallow at rogers.com
Mon May 26 19:37:01 PDT 2008

All the elements below are exposable using signatures created with xmlsec,
but I guess your problem is signatures that only have an X509Certificate
element ? That's the signers prerogative.

I have no problems, if I can't follow the cert chain to an accepted set of
roots I have been authorized to verify against TrustedRootPems, the xmlsec
verify throws error. I don't really care to report who signed it if the
signer chose not to expose these additional elements in the first place.

Is this Davis Chapman of Developing Secure Applications in ... fame ?   


Also <KeyName>

-----Original Message-----
From: xmlsec-bounces at aleksey.com [mailto:xmlsec-bounces at aleksey.com] On
Behalf Of Dave Chapman
Sent: Monday, May 26, 2008 5:29 PM
To: xmlsec at aleksey.com
Subject: Re: [xmlsec] Issues using xmlsec for SAML

Aleksey Sanin wrote:
> You have to use OpenSSL, NSS, or any other crypto provider functions
> to access this information.

Is there a reason for xmlsec not providing access to this information?

It would seem to me to be a fundamental feature of signatures - anyone 
checking a signature needs to know both a) that the signature is valid 
and the document hasn't been modified since signing; and b) who signed 
the file.

How do other people reading this mail deal with this issue?


xmlsec mailing list
xmlsec at aleksey.com

More information about the xmlsec mailing list