santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Berin Lautenbach <be...@wingsofhermes.org>
Subject Re: DO NOT REPLY [Bug 40921] - XML <X509Certificate> contents modified and signature normallly validated.
Date Thu, 09 Nov 2006 08:54:00 GMT
Scott Cantor wrote:
  >>So out of curiosity, how does one verify the Signature/KeyInfo match
>>up in the JDK 1.6 code?
> 
> 
> I don't think that's how I would approach the question. In all cases, I
> think the application needs to supply the verification key. The application
> MAY choose to examine KeyInfo as part of determining what key to try, but
> that's up to it.
> 
> In that light, KeyInfo is simply one of many inputs into the process of
> determining the key. The critical difference is that in my mind, you start
> by identifying the signer, usually based on the message itself, not based on
> KeyInfo. From there, you get keying material, or policy to control
> certificates that might be in KeyInfo.

+1.

I cannot think of any case where I would "trust" a message purely 
because *the message* told me it was OK.  That's effectively what you do 
if you base a "trust" decision on a key info element.

The KeyInfo is like the keyid for a PGP/GPG signed message.  It's a 
pointer into your own keyring (or key management approach - whatever) 
that lets *you* make a decision based on something outside the message 
as to whether the message is signed by someone you know.

And FWIW - the match between key info and signature is trivial.  If the 
key that you determine from the keyinfo validates the signature then it 
matches.  Otherwise it doesn't.  Incorporating the keyinfo into the 
signed information tells you precisely nothing - if someone has inserted 
their own key into KeyInfo, then they can obviously re-sign the message 
and send it to you in its new form.  So putting the KeyInfo inside the 
signature tells you nothing about the validity of the key.

Given that fact - it would actually be dangerous for the spec to do it 
by default as it would give a false sense of security to end users. 
"The key info is included in the signature and the signature verified, 
therefore the key is correct".  Badness.

Cheers,
	Berin

Mime
View raw message