OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] XML signature validation question

On 13-01-17 15:38, Cantor, Scott wrote:
Using PKIX in general is both a bad idea and inherently non-interoperable in SAML, but to the extent that one would, multiple certificates in a single X509Data are a chain, and so they're not *all* likely to be meant as a signing key, but as a chain with the signing key plus additional validation aids.

I agree with this. Only the end entity certificate would be used for the signature. In PKI any intermediate certificates and the root certificates in the chain would not be used to for anything but to validate next-level certificates. The example in XML Signature specification uses an ordering of X09Certificate elements, from the end entity certificate as first X509Certificate occurrence to the root as last one. The XML Signature specification does not actually explicitly impose this ordering constraint on chains, which is an omission. Assuming this constraint is enforced, then if a chain is specified, only one X509Certificate element has to be considered, for an X509Data element, for validation of the signature, and it would be the first element.

Note that the above is a comment on XML Signature, not on SAML. The referenced SAML interoperability profile restricts the occurrence of X509Certificate in KeyInfo to a single certificate (no chains) and since an X509Certificate is contained in an X509Data element, there can only be one X509Data element in the KeyInfo.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]