Re: Clarification on section 3.2.1 (Reference Validation)

On Thursday 06 December 2001 05:32, Sean Mullan wrote:
> Step 3 of section 3.2.1 states:
>
>   "Compare the generated digest value against DigestValue
>    in the SignedInfo Reference; if there is any mismatch,
>    validation fails."
>
> Does "validation" above mean "core validation"?

Hi Sean. It means Reference Validation fails and since Core Validation 
requires Reference *and* Signature (cryptographic) validation, Core 
consequently fails as well.

> If a single
> reference fails to validate, core validation fails. I assume
> this means an implementation should (must?) abort validation of the
> remaining references and return a failure. Is my assumption
> correct?

According to the specification the Signature is not valid. How this is 
communicated is up to the application which could short cut and immediately 
abort, continue processing the other references so it can identify which 
ones failed, and/or do the cryptographic signature validation as other 
piece of information to the user or calling application.

-- 

Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/

Received on Thursday, 6 December 2001 11:28:35 UTC