How does XML Signature prevent repudiation if it comes with KeyInfo ?

Thread view:

jacksu - 02 Sep 2005 19:49 GMT

Hi all,

Thanks your time to help me clean up my confusion. I posted this
question in some place also, hope someone could help me out.

Say the following xml signature:

<Signature>
<SignedInfo>
....
<DigestValue>.....</DigestValue>
</SignedInfo>
<SignatureValue>....</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>....</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>

If I changed the message totally, have my own DigestValue, and have my
own SignatureValue, and send my own X509Certificate with
only the DN name to be the same as original sender.

How does receiver tell the message was changed?

Thanks.

Reply to this Message

Mr. Skeptic - 02 Sep 2005 22:12 GMT

They can't. So obviously the issuer cannot issue two or more
certificates with the same DN.

Do you know any CAs that will?

Reply to this Message

jacksu - 02 Sep 2005 22:20 GMT

Thanks for reply,

Different CA might issue the same DN.....

Also, how about self-signed certs?

Still feel that could be a loophole easily be overlooked. How do you
think?

Reply to this Message

Chris Head - 04 Sep 2005 19:40 GMT

> Thanks for reply,
>
[quoted text clipped - 4 lines]
> Still feel that could be a loophole easily be overlooked. How do you
> think?

Hi,
Presumably the receiving program has a built-in (probably user-editable)
list of trusted CAs. Just like an HTTPS connection with a Web browser, a
signature will be considered suspect if the certificate that generated
it was not signed by one of these trusted CAs. Meanwhile, the trusted
CAs will not issue (sign) a certificate unless they are sure you are who
you say you are.

Chris

Reply to this Message

Mr. Skeptic - 04 Sep 2005 21:12 GMT

A CA that issues two or more valid certs with the same DN is almost
worthless. No one would (or should) trust it.

Reply to this Message

How does XML Signature prevent repudiation if it comes with KeyInfo ?

Free Magazines