[xmlsec] another newbie question
Lee, Insoo
Insoo.Lee at gs.com
Sun Mar 14 14:08:08 PST 2004
Hello all -
could I ask you another newbie question?
I'm a bit confused with certificate business - I'm lacking the
fundamentals...
We are planning to receive a signed XML message from our client.
This XML message will have X509 in its header.
Once I receive this message, I extract the X509 and validate it.
Now here is the question, shouldn't I check the validity of the
certificate??
Let's say this is the certificate issued by VeriSign.
Do I need to somehow connect to VeriSign to confirm that this certificate is
genuine and still valid?
Can't anybody intercept this message and modify it and use his own private
key to regenerate digest and attach his own certificate?
Then according to this imposter's certificate, it's good message..
Thanks
Lee
Insoo Lee
Goldman, Sachs & Co.
917-343-0973 | insoo.lee at gs.com | 32 Old Slip 9th Fl.
More information about the xmlsec
mailing list