OpenSAML user discussion

[rangeli nepal <>]

Thank you Chad. Things were never so clear as it is now.

On Thu, May 27, 2010 at 6:50 PM, Chad La Joie <> wrote:

On 5/27/10 6:42 PM, rangeli nepal wrote:

1. In my case I get message with ds:X509Certificate and I have similar
data in metadata. So I am inferring that rule engine will compute
signature using both of them and verify it? I believe Certificate with
metadata will be more trusted.

Not quite, first the trust engine figures out which set of material it trusts and the just verifies the signature with that.  So there is no comparison.  By default, as noted below, the trust material consists of the certificates in the metadata and the certificate in the signature is ignored.

2. Trust engine is intelligent enough to differentiate between sefl
signed certificate and commercial certificate?

There are different trust engine implementations.  The most common one, the one that uses the certificate data from metadata, doesn't care if the certificate is self-signed.  By loading the metadata you are saying that the material in there is trusted (you can do various things like check signatures on the metadata document to determine this).  So, as long as the data therein can validate the signature it's fine, whether the cert was self-signed of not.

The PKIX trust engine, which isn't normally used, would care if the cert was self-signed.


--
Chad La Joie
http://itumi.biz
trusted identities, delivered