- From: Joseph Swaminathan <jswamina@cisco.com>
- Date: Thu, 11 Mar 2004 10:49:36 -0800
- To: Rich Salz <rsalz@datapower.com>
- Cc: Anders Rundgren <anders.rundgren@telia.com>, w3c-ietf-xmldsig@w3.org
A novice question. Pardon me if it is obvious.
What is the need for signing the X509 certificate.
Since each certificate contains a signature of its
contents, which is validated by the next level Cert,
until a self signed Cert is met. And the root Cert
(self signed) is not trusted unless the receiver has
that certificate in his/her cert store already.
Even if the Certs are signed, by a reference,
its still not secure until a trusted Cert (present in
Cert store) is present in the Cert chain, isnt it. As
long Cert validation happens, the contents is not
trustable isnt it. And Cert validation is a prerequisite,
and independent of the authenticating of the message
received, isnt it.
thanks
Joseph
Rich Salz wrote:
>
>> Sorry for the stupid question but since X509Data and X509Certificate
>> do not support "Id" attributes, would not KeyInfo would be a better
>> candidate?
>
>
> Not a stupid question -- it shows you've read the spec more carefully
> than I have, or that I've forgotten too much.
>
> Yes, keyinfo would be what you have to use.
> Or perhaps an errata that adds an id attribute would be best. :)
>
Received on Thursday, 11 March 2004 13:50:17 UTC