santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "jason marshall" <jdmarsh...@gmail.com>
Subject Re: DO NOT REPLY [Bug 40921] - XML <X509Certificate> contents modified and signature normallly validated.
Date Wed, 08 Nov 2006 15:45:11 GMT
Maybe I'm misunderstanding the commentary made so far in this bug report.

If KeyInfo is indeed advisory, then how does one establish the
trustworthiness of an enveloped signature?

Thanks,
Jason

On 11/7/06, bugzilla@apache.org <bugzilla@apache.org> wrote:
> ------- Additional Comments From cantor.2@osu.edu  2006-11-07 21:18 -------
> An enveloped signature omits anything inside the Signature element apart from
> SignedInfo. KeyInfo is not commonly signed. The only attack possible is against
> broken software that doesn't understand that KeyInfo is advisory, not trusted
> information.
>
>
> --
> Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
> ------- You are receiving this mail because: -------
> You are the assignee for the bug, or are watching the assignee.
>


-- 
- Jason

Mime
View raw message