You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@camel.apache.org by "Aki Yoshida (JIRA)" <ji...@apache.org> on 2013/12/02 15:08:37 UTC
[jira] [Commented] (CAMEL-7002) PGPDataFormat: restrict verifying
public keys
[ https://issues.apache.org/jira/browse/CAMEL-7002?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13836529#comment-13836529 ]
Aki Yoshida commented on CAMEL-7002:
------------------------------------
Hi Franz,
not sure if this filtering/checking needs to be directly included there because the verification itself runs using the keyId found in the message. Isn't it simpler to set the user header or something similar header with the userId info after verification so that anyone can do the filtering later if they want, no?
regards, aki
> PGPDataFormat: restrict verifying public keys
> ---------------------------------------------
>
> Key: CAMEL-7002
> URL: https://issues.apache.org/jira/browse/CAMEL-7002
> Project: Camel
> Issue Type: Improvement
> Components: camel-crypto
> Reporter: Franz Forsthofer
> Assignee: Hadrian Zbarcea
> Fix For: 2.12.3, 2.13.0
>
> Attachments: 0001-PGPDataFormat-signatureUserIds-added.patch
>
>
> During the signature verification with PGPDataFormat currently all public keys contained in the public keyring are taken into account. So the current semantic is: Verify the signature against all public keys in the keyring. IF you have a keyring with lot of public keys you will not want that every identity represented by the public keys can sent to you a signature. Normally you want to know from which identity the signature comes. Therefore I have introduced the possibility to restrict the verifying publikc keys; I have introduced the parameter signatureKeyUserids where you specify the Userids the publc keys must have in order to be allowed to verify a signature.
--
This message was sent by Atlassian JIRA
(v6.1#6144)