[xmlsec] Re: XMLDSig Query

Aleksey Sanin aleksey at aleksey.com
Wed Mar 28 23:02:00 PST 2007


You are describing the idea of "direct" trust when person A and B
have direct contact. If they can *securely* exchange the
certificates (i.e. public keys) then everything you describe
is working just fine.

However, in the real life such direct *secure* communications
are not always possible. And this is the reason for having X509
PKI when there is a third person (trusted party) who holds
"trusted" root certificate and provides a way to indirectly
pass credentials from person A to person B. Thus, signature
verification involves not only check for signature validity
by itself but also the validity of "trust" to this third person.
And this is the reason to pass 'rootcert.pem' in the command
line.

This is *very* brief description of X509 PKI. Good book on
cryptography might give your more explanations and insights
on the subject:

https://www.aleksey.com/xmlsec/related.html

Enjoy,

Aleksey

Brian McLaughlin wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> I am attempting to use XMLsec for signing, verifying and
> encrypting,decrypting XML documents. I have currently implemented the
> example 3 for sign and verify and cannot understand the logic of using
> the rootcert.pem for verifying the signiture.
> 
> My understanding of the protocol is as follows:
> 
> Certificate authority issues a private key and a certificate (signed
> by the certificate authority) to person A
> Certificate authority issues a private key and a certificate (signed
> by the certificate authority) to person B
> 
> When person A wants to communicate with person B, (s)he signs the
> message with person A's private key.
> person B then receives the message and verifies that the message was
> signed by person A by using person A's public key.
> 
> as a result, I believed the commands in your example should be:
> 
> 
> ./sign3 sign3-doc.xml rsakey.pem rsacert.pem > sign3-res.xml
> ./verify3 sign3-res.xml rsacert.pem
> 
> 
> Can you explain what I am missunderstanding if possible,
> 
> Thank you in advance,
> Brian McLaughlin.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> 
> iD8DBQFGCnsSx+Pka16x9kURArGeAJ9QKWlegAfr3cDy9obF6qRREaKThQCfUijv
> Jns1x+HZPYT8eRJ3nDBeJyM=
> =+6qV
> -----END PGP SIGNATURE-----
> 



More information about the xmlsec mailing list