[xmlsec] X509Certificate ordering
Wolfgang Woehl
tito at online.de
Fri Jun 17 12:44:53 PDT 2011
Kai Hendry:
> On 17 June 2011 15:18, Aleksey Sanin <aleksey at aleksey.com> wrote:
> > Te order of certificates is irrelevant for xml signature standard and xmlsec
> > does nothing about it.
>
>
> It does matter. Let me quote my esteemed colleague Paddy:
>
> """
> The problem, if they are out of order, is knowing which is the
> end-entity certificate. There is no information to tell you which one
> it is - at least, there is no information that is *required* to be
> there.
Issuer and Subject names will tell you everything you need to know. In a
certificate chain the leaf certificate's subject name will not show up
as issuer in any of the other chain members.
--
Wolfgang Woehl
Filmmuseum Munich http://www.stadtmuseum-online.de/aktuell/filmre.htm
Digital Cinema Tools https://github.com/wolfgangw/digital_cinema_tools/wiki
Dietrich https://github.com/wolfgangw/dietrich/wiki
More information about the xmlsec
mailing list