DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.

2006-11-08 Thread bugzilla
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.

2006-11-08 Thread bugzilla
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.

2006-11-08 Thread bugzilla
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

Re: DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.

2006-11-08 Thread jason marshall
Maybe I'm misunderstanding the commentary made so far in this bug report. If KeyInfo is indeed advisory, then how does one establish the trustworthiness of an enveloped signature? Thanks, Jason On 11/7/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: --- Additional Comments From [EMAIL PRO

Re: DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.

2006-11-08 Thread Sean Mullan
jason marshall wrote: Maybe I'm misunderstanding the commentary made so far in this bug report. If KeyInfo is indeed advisory, then how does one establish the trustworthiness of an enveloped signature? The relying (validating) party still needs to determine the trustworthiness of the KeyInfo

DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.

2006-11-08 Thread bugzilla
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.

2006-11-08 Thread bugzilla
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

Re: DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.

2006-11-08 Thread jason marshall
On 11/8/06, Sean Mullan <[EMAIL PROTECTED]> wrote: jason marshall wrote: > Maybe I'm misunderstanding the commentary made so far in this bug report. > > If KeyInfo is indeed advisory, then how does one establish the > trustworthiness of an enveloped signature? The relying (validating) party stil

RE: DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.

2006-11-08 Thread Scott Cantor
> Maybe I'm misunderstanding the commentary made so far in this > bug report. > > If KeyInfo is indeed advisory, then how does one establish the > trustworthiness of an enveloped signature? As Sean said, trust, whatever you believe that means, is outside the scope of XML Signature and of the ds:

RE: DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.

2006-11-08 Thread Scott Cantor
> Yes, of course. My question is, if the KeyInfo in a valid signature > can be changed without failing the signature check, then what good > does it do me to check the chain of trust on the KeyInfo? By itself, nothing. You still also have to verify that the KeyInfo actually validates the Signatur

Re: DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.

2006-11-08 Thread jason marshall
Okay. In the Apache XMLSec code, this happens more or less automatically (That is, you verify the signature with checkSignatureValue, which takes a key as an argument, and may or may not also check references depending on what other settings you've specified). I'm not really all that familiar wi

RE: DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.

2006-11-08 Thread Scott Cantor
> I'm not really all that familiar with the JDK 1.6 API. In looking at > it I see it changed quite considerably more than I expected, which > probably explains most of my confusion. I assumed that the bug was > against the apache implementation (this is the apache bug database, > right?), not JDK

Re: DO NOT REPLY [Bug 40921] - XML contents modified and signature normallly validated.

2006-11-08 Thread Sean Mullan
jason marshall wrote: Okay. In the Apache XMLSec code, this happens more or less automatically (That is, you verify the signature with checkSignatureValue, which takes a key as an argument, and may or may not also check references depending on what other settings you've specified). I'm not real