[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: XML signature validation question
Hi,let's assume that a remote entity metadata has the KeyDescriptor defined the following way:
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:X509Data>
<ds:X509Certificate>
....
</ds:X509Certificate>
<ds:X509Certificate>
....
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
In other words the signing key has a whole certificate chain defined. In
this scenario upon validation of an XML signature should one validate
the signature against all the public keys represented by X509Certificate
values, or should one just use the first certificate for signature
verification, and use the rest of the chain for certificate validation only?
When reading https://www.w3.org/TR/xmldsig-core/#sec-X509Data I can find the following: "Whenever multiple certificates occur in an X509Data element, at least one such certificate must contain the public key which verifies the signature."
For me this suggests that any certificate from the chain can be used to verify the signature. Is this interpretation correct? Does the SAML spec override this behavior?
Thanks in advance. Kind Regards, Peter Major
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]