[xmlsec] Verify - OpenSSL vs mscrypto

Dmitry Belyavsky beldmit at cryptocom.ru
Wed Jan 11 11:06:14 PST 2006


Greetings!

On Wed, 11 Jan 2006, Edward Shallow wrote:

> Yes I see what you are saying now. In my environment the store is called
> "other people".
>
> So from a recipient as a verifier 'MY' signing cert would be in his "Other
> People" store. However if the cert is in 'MY' as opposed to 'OtherPeople' it
> should still work.
>
> There are 2 concerns here:
>
> 1) the verifier may have to check multiple stores to find the signer's cert

> 2) why does the cert even have to be in "any" store if it is already
> contained in the signed document ?

XMLSec uses the cert from the signed document when it exists. So the
patch I provided builds a verification chain for this cert.

> In the case of OpenSSL all you need to verify the trust chain is the issuer
> or issuers certs loaded into the KeysMngr. This makes sense. In mscrypto,
> why can't we start the chain search from the signer's issuer extracted from
> the cert in the signed document, and not from the signer itself ?

Sorry, I don't understand this idea. The signer's cert should provide
the correct chain i.e. each cert in chain should be correctly signed and
shouldn't be revoked. What's an idea to build chain with signer's cert
issuer?

>    There will be many situations where the recipient does not have the
> signer's public cert in their store.

Yes, when the signer's cert is in the document, if the CA cert and CRL
are correctly installed, the chain will be built successfully.

-- 
SY, Dmitry Belyavsky (ICQ UIN 11116575)




More information about the xmlsec mailing list