Why isn't KeyInfo inside SignedInfo

This might be a no-brainer at this point, but I just noticed that KeyInfo is
not inside SignedInfo.

Why is this?

It seems that during signature generation, all data within KeyInfo can be
filled in prior to generating the SignatureValue.  The signer chooses his
identity before the SignatureValue is created.

Otherwise, the material in KeyInfo would seem to be largely untrustworthy
even if our signatures validate.  After validation, we would have to dig up
the real information from the actual certificates just to be sure that all
of this identity information wasn't substituted on us by an attacker.

On the other hand, perhaps it is done this way to force application
developers to obtain the information (like subject name) from the
certificate to avoid attacks from those who would generate a faulty

In which case, why bother breaking this information out into XML?


     John Boyer
      Development Team Leader,
      Distributed Processing and XML
      PureEdge Solutions Inc.
      Creating Binding E-Commerce
      v: 250-479-8334, ext. 143  f: 250-479-3772
      1-888-517-2675   http://www.PureEdge.com

Received on Monday, 28 August 2000 20:03:47 UTC