W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > January to March 2003

Re: X509 data element

From: Joseph Swaminathan <jswamina@cisco.com>
Date: Tue, 04 Feb 2003 06:42:38 -0800
Message-ID: <3E3FD15D.309D090E@cisco.com>
To: Rich Salz <rsalz@datapower.com>
CC: w3c-ietf-xmldsig@w3.org

Rich Salz wrote:

> >    1. When X509 certificate element is present, is there any need
> >       for X509IssuerSerial, X509SubjectName, X509SKI, elements. Is
> >       it possible for all of these to be present. If so, what is
> >       the significance of the later three, as the first one contains
> >       all of them.
> Many implementations actually provide more than one of the differnet
> forms in the same signature.  Yes, the certificate includes all the
> other data, but it requires a fairly heavy-duty ASN1/DER parser.
> Breaking out the alternate "lookup keys" is just "friendly," as it were.

     Since the signature value on the signature node only covers the
signed info element, the individual x.509 elements present in the
key info is not signed at all. In that case, how can these values be
trusted, unless it is cross verified with x.509 certificate.

       Wont it be possible for a hacker to intercept the XML document
and add these individual x.509 elements which is not consistent with
x.509 certicate and change the signed info as he pleases.


> >    2. Also, how is a certificate validated. Is it by
> That's a local trust issue, and depends on your implementation and
> business requirements.  A common 80/20 technique is to verify that the
> certificate *or it's issuer* came from a locally-configured trusted list.
>         /r$
Received on Tuesday, 4 February 2003 09:44:05 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:21:38 UTC