[xmlsec] Issues using xmlsec for SAML
Ed Shallow
ed.shallow at rogers.com
Mon May 26 19:37:01 PDT 2008
All the elements below are exposable using signatures created with xmlsec,
but I guess your problem is signatures that only have an X509Certificate
element ? That's the signers prerogative.
I have no problems, if I can't follow the cert chain to an accepted set of
roots I have been authorized to verify against TrustedRootPems, the xmlsec
verify throws error. I don't really care to report who signed it if the
signer chose not to expose these additional elements in the first place.
Is this Davis Chapman of Developing Secure Applications in ... fame ?
<X509SubjectName>
<X509IssuerSerial>
<X509IssuerName>
<X509SerialNumber>
</X509IssuerSerial>
Also <KeyName>
-----Original Message-----
From: xmlsec-bounces at aleksey.com [mailto:xmlsec-bounces at aleksey.com] On
Behalf Of Dave Chapman
Sent: Monday, May 26, 2008 5:29 PM
To: xmlsec at aleksey.com
Subject: Re: [xmlsec] Issues using xmlsec for SAML
Aleksey Sanin wrote:
> You have to use OpenSSL, NSS, or any other crypto provider functions
> to access this information.
Is there a reason for xmlsec not providing access to this information?
It would seem to me to be a fundamental feature of signatures - anyone
checking a signature needs to know both a) that the signature is valid
and the document hasn't been modified since signing; and b) who signed
the file.
How do other people reading this mail deal with this issue?
Thanks,
Dave.
_______________________________________________
xmlsec mailing list
xmlsec at aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
More information about the xmlsec
mailing list