stackoom
  简体   繁体   中英

Passing signature public key along with the signature

 原文  2013-06-10 17:46:08       encryption/ signature

Question

Can anybody explain me a sense of passing a public key along with signature which is practiced in SAML 2.0? As I know signature is needed to make sure the message was not intercepted by someone, so I need to make sure the public key I'm validating the signature with is pertained to the sender, which in case of in SAML 2.0 I can get with metadata beforehand. However if I take a public key from the message in run-time, how can I know it is not intercepted and other interceptor's public key is included?

1 answers

solution1
 0  2013-06-10 18:24:00

You not only want to validate that the public key matches the signature, you also want to validate that the public key itself is valid. This is generally done through a certificate chain, where each certificate in the chain is basically a signed public key. You need to ensure that each certificate is valid (has not expired, has not been revoked) and that you trust the signers of each certificate. Be careful who you trust and pay attention to revocation.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Getting public key from digital signature Manual validation Lotus Notes' signature with public key Verify data with Signature public key RSA java Can't check signature: public key not found iOS: Verifying a File With a Certificate and Signature - Public Key is Wrong, Verification Fails Digital signature when only one person has public/private key How to convert public key and signature value in human readable format Signature with private key Shared-Key Signature Decrypt a signature using openssl_public_decrypt
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM