logo       
<prev   next>

RE: Verify - OpenSSL vs mscrypto: msg#00029

Subject: RE: Verify - OpenSSL vs mscrypto 
Yes I see what you are saying now. In my environment the store is called
"other people".

So from a recipient as a verifier 'MY' signing cert would be in his "Other
People" store. However if the cert is in 'MY' as opposed to 'OtherPeople' it
should still work.

There are 2 concerns here:

1) the verifier may have to check multiple stores to find the signer's cert

2) why does the cert even have to be in "any" store if it is already
contained in the signed document ?

In the case of OpenSSL all you need to verify the trust chain is the issuer
or issuers certs loaded into the KeysMngr. This makes sense. In mscrypto,
why can't we start the chain search from the signer's issuer extracted from
the cert in the signed document, and not from the signer itself ?

   There will be many situations where the recipient does not have the
signer's public cert in their store.

Ed

   

-----Original Message-----
From: Dmitry Belyavsky [mailto:beldmit@xxxxxxxxxxxx] 
Sent: January 11, 2006 11:51 AM
To: Edward Shallow
Cc: xmlsec@xxxxxxxxxxx
Subject: RE: [xmlsec] Verify - OpenSSL vs mscrypto

Greetings!

On Wed, 11 Jan 2006, Edward Shallow wrote:

> > Dmitry wrote ...
> >
> > Edward, when you verify the signature using your own certs ('MY' 
> > cert storage), the library doesn't verify chain using my patch. To 
> > see my patch really works you need to verify the signature from the 
> > other user's account with signer's CA cert and CRL installed.

> I do not know what you mean by "the other user's account". All 
> personal certificates used by an individual are installed in the default
'MY' store.
> At verification time, the starting point for the get certificate chain 
> processing is from the cert context of the signer's cert no matter who 
> does that verification. In fact the signer's cert should not have to 
> be in the verifier's store at verify time. The first certificate to 
> chase in the chain should be the immediate issuer's certificate etc 
> ... What does "other user's account" mean ?

I mean the signature is verified more often with the user differing from the
signer. So sender's certs are not placed in "MY" store. In my copy of
windows the store is known as "Trusted users", though my collegues say it's
correct name is "Addressbook".

--
SY, Dmitry Belyavsky (ICQ UIN 11116575)
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Verify - OpenSSL vs mscrypto, Dmitry Belyavsky
Next by Date:  RE: [Bulk] Re: Verify - OpenSSL vs mscrypto, Edward Shallow
Previous by Thread:  RE: Verify - OpenSSL vs mscrypto, Dmitry Belyavsky
Next by Thread:  RE: Verify - OpenSSL vs mscrypto, Dmitry Belyavsky
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
Recently Viewed:
boot-loaders.gr...    php.pear.genera...    debugging.valgr...    kde.redhat.user...    text.xml.xsl.ge...    culture.languag...    hardware.microc...    java.servicemix...    redhat.release....    web.zope.plone....    user-groups.lin...    opendarwin.webk...    video.mjpeg.use...    sysutils.bcfg2....    encryption.gpg....    lx-office.devel...    xfree86.forum/2...    mail.mutt.devel...    acpi.devel/2003...    qnx.openqnx.dev...    network.irc.irs...    freebsd.devel.m...   
Home | blog view | USPTO Patent Archive | advertise | OSDir is an inevitable website. super tiny logo

Free Magazines

Cisco News
Receive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business.
subscribe

Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe

The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business.
subscribe

Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe

Total Telecom Total Telecom is "The Economist of the communications industry".
subscribe