0

I am reasonably familiar with basic digital signing. And currently reading up on XMLDSIG.

This page explains how to sign

http://www.di-mgt.com.au/xmldsig.html

I am unable to figure what key is stored in field of the sample output XML file on the page?

Signed Certificates have a public key. However why should a signed document have a RSA key embedded in it - whose key is this?

user93353
  • 13,733
  • 8
  • 60
  • 122

1 Answers1

1

If you sign the data using just the private RSA key (in opposite to sign it using X.509 certificate with a private key), you include public RSA key into KeyInfo.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
  • What's the point of this? Assuming I am the signer, the recipient of the document should already have my public key - otherwise how will he be able to trust that I have signed it? – user93353 Sep 24 '12 at 12:14
  • @user93353 Signature validation consists of two parts: check signature integrity and check signer's authenticity. Signature integrity can be checked using the enclosed public key. *Then* the recipient can locate the public key in his storage to find who signed it. You assume that the recipient has your public key. But how will it know *which* key to use if he has 200 public keys of 150 people? Should he try each key separately? This is time-consuming. – Eugene Mayevski 'Callback Sep 24 '12 at 12:20
  • That was very informative - thank you. In case of signing with a X509 certificate what info is used to locate the certificate. – user93353 Sep 24 '12 at 12:28
  • @user93353 you haven't used the @ sign to Eugene, so he will likely have missed that remark. But usually either the certificate itself is in the certificate store, or there is a "chain" to a trusted certificate. Those paths are normally found using the issuer & serial number of the parent certificate whose private key signed the underlying certificate. Most of the time the trusted certificate is a *self signed* root certificate, which is distributed by other means, e.g. with a web browser. Look for PKI on the web for more information. – Maarten Bodewes Sep 24 '12 at 22:56
  • @user93353 KeyInfo can contain serial number, Subject RDN (relative distinguished name), Issuer RDN, Signer (Signing?) Key Identifier of the certificate. This information is usually enough to locate information on the recipient side. – Eugene Mayevski 'Callback Sep 25 '12 at 07:50