OpenSAML user discussion

[Brent Putman <>]

I agree with what Chad said, but also consider that KeyInfo is optional 
in a Signature, and even if present, may not include the key by value, 
instead only by reference (e.g. via KeyName or X509SubjectName, etc).  
If you don't know that the sender/signer of the message will always 
include a usable embedded key, you may want to take that into account.

I think the exact algorithm used in our SignatureTrustEngine(s) is:

-Extract key from KeyInfo, if present
-Validate signature using the KeyInfo-derived key
-If was valid, establish trust by matching that KeyInfo key to the 
trusted keys you have
-If signature was not validated using the KeyInfo key, or the KeyInfo 
key didn't match a trusted key, or no KeyInfo key was present, then 
validate the signature against all trusted keys directly

So one assumption is that the resolved trusted keys are known to be 
associated with with the "claimed" signer identity.




Chad La Joie wrote:
> Yep, that sounds right.
>
> If the system is going to see modest load you'll probably want to 
> create some bit of code that reads in the certs from the directory, 
> parses them into their Java objects, caches them and then just 
> occasionally sweeps the directory for new/removed certs.  Parsing the 
> certs is a semi-expensive task so you don't necessarily want to be 
> doing that every time you get a new message.
>
> Håkon Sagehaug wrote:
> > Hi
> >
> > So the setup currently is this, I've got a directory on a filesystem, 
> > not LDAP, that contains all the host certs I trust. When the 
> > assertion comes in I want to first check if the public key inside the 
> > <ds:X509Cert> can be resolved to one of the certs in my trusted 
> > directory. If this clears I will see if the signature validates 
> > against the public key from the saml assertion. Is this setup right?
> >
> > cheers, Håkon