OpenSAML user discussion

[Xavier Drudis Ferran <>]

On Mon, Mar 03, 2008 at 11:32:51AM -0500, Scott Cantor wrote:
> > 
> > only means that the part outside the Signature generates the same
> > DigestValue as is in the Signature's SignedInfo, but later some digest
> > of the SignedInfo (or it plus something more) is calculated before
> > validating with the signer's public key, and that fails because of
> > the whitespace differences. Right?
> 
> Well, yes, but that's not before validating, that is the validation. The
> SignatureValue is a public key signature over the octets making up that c14n
> step.
>

Ok, it's the signature validation, not before it. I meant before you
apply the public key to the signature value and the hash of the signed
data, but I was confused.

I think I was confusing the digestValue with the hash involved in 
signing (and checking signatures). These need to be different things
because you can have more than one reference, and more than one 
digestValue (one per reference) , and then sign them all and generate
a single SignatureValue. But in my case I get only one reference, 
and I was confused. Now I see. There's one more hash calculation 
involved than what I thought.
 
Thanks for explaining. 

-- 
Xavi Drudis Ferran