[xmlsec] Loading publickeys from KeyInfo/X509Data
Benjamin Dauvergne
bdauvergne at entrouvert.com
Wed Feb 10 09:36:05 PST 2010
Aleksey Sanin wrote:
> Right. There is a problem that the DONT_VERIFY_CERTS
> flag disables both certs verification and key extraction.
>
> The problem is that w/o verification you can't build certs
> chain and you don't know which certificate is the "top" one
> to use for key extraction.
But if there is only one certificate (99,9% of our cases ;) ) it's easy.
And what happens if you have two valid certificates but not related (not
in child/parent relation) ? From which one do you take the key ?
Would special casing for lone certificates with warning in other cases
be acceptable ?
More information about the xmlsec
mailing list