You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by David Yu <ts...@gmail.com> on 2014/04/22 11:08:36 UTC
self-signed vs CA signed X.509 certificate in keyInfo
Dear Santuario developers,
Could someone let me know?
Does Santuario check if the certificate is signed by CA before verifying
XML signature?
If I use the X509Data(if it is self-signed) from XML to verify the
signature, how do I ensure the XML is sent from the trusted party?
Thanks
Tsun
Re: self-signed vs CA signed X.509 certificate in keyInfo
Posted by David Yu <ts...@gmail.com>.
Thank you for the information. It helps.
Thanks
Tsun
On Tue, Apr 22, 2014 at 8:32 AM, Cantor, Scott <ca...@osu.edu> wrote:
> On 4/22/14, 5:08 AM, "David Yu" <ts...@gmail.com> wrote:
>
> >Does Santuario check if the certificate is signed by CA before verifying
> >XML signature?
>
> Not generally.
>
> >If I use the X509Data(if it is self-signed) from XML to verify the
> >signature, how do I ensure the XML is sent from the trusted party?
>
> By implementing a trust management strategy that fits your scenarios, for
> example [1].
>
> Every problem domain is different, but in general if you're tempted to
> just do some hand waving with "a trusted CA", you're oversimplifying the
> problem.
>
> -- Scott
>
> [1] https://wiki.shibboleth.net/confluence/display/SHIB2/TrustManagement
>
>
>
Re: self-signed vs CA signed X.509 certificate in keyInfo
Posted by "Cantor, Scott" <ca...@osu.edu>.
On 4/22/14, 5:08 AM, "David Yu" <ts...@gmail.com> wrote:
>Does Santuario check if the certificate is signed by CA before verifying
>XML signature?
Not generally.
>If I use the X509Data(if it is self-signed) from XML to verify the
>signature, how do I ensure the XML is sent from the trusted party?
By implementing a trust management strategy that fits your scenarios, for
example [1].
Every problem domain is different, but in general if you're tempted to
just do some hand waving with "a trusted CA", you're oversimplifying the
problem.
-- Scott
[1] https://wiki.shibboleth.net/confluence/display/SHIB2/TrustManagement
Re: self-signed vs CA signed X.509 certificate in keyInfo
Posted by David Yu <ts...@gmail.com>.
Thank you for the information. It helps.
Thanks
Tsun
On Tue, Apr 22, 2014 at 2:08 AM, David Yu <ts...@gmail.com> wrote:
> Dear Santuario developers,
> Could someone let me know?
> Does Santuario check if the certificate is signed by CA before verifying
> XML signature?
> If I use the X509Data(if it is self-signed) from XML to verify the
> signature, how do I ensure the XML is sent from the trusted party?
>
> Thanks
> Tsun
>