OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: XML signature validation question


let's assume that a remote entity metadata has the KeyDescriptor defined the following way:

<KeyDescriptor use="signing">
  <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>

In other words the signing key has a whole certificate chain defined. In this scenario upon validation of an XML signature should one validate the signature against all the public keys represented by X509Certificate values, or should one just use the first certificate for signature verification, and use the rest of the chain for certificate validation only?

When reading https://www.w3.org/TR/xmldsig-core/#sec-X509Data I can find the following: "Whenever multiple certificates occur in an X509Data element, at least one such certificate must contain the public key which verifies the signature."

For me this suggests that any certificate from the chain can be used to verify the signature. Is this interpretation correct? Does the SAML spec override this behavior?

Thanks in advance.

Kind Regards,
Peter Major

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]