Re: How to verify CA for a X.509 certificate

From: Michel Gallant (neutron_at_istar.ca)
Date: 06/12/04

  • Next message: Michel Gallant: "Re: How to verify CA for a X.509 certificate" 
    Date: Sat, 12 Jun 2004 10:34:24 -0400

    The article DOES check if the public key is in the store, and tries
    to use it to explicitly verify the signature on the cert. If the issuer-name
    and associated cert/key was swapped, of COURSE the signature verification
    would fail, so that is not a problem.
    If you trust who you received the signed XML file from, and you ALSO trust
    the integrity of your root CA store (i.e. haven't populated unwisely with unknown
    root CA certs from potentially malicious origins, like my own openSSL generated
    root CA certs ;-) then you should be golden.

    - Mitch Gallant
       www.jensign.com

    "Bas van Atteveldt" <newsgroup@2at.nl> wrote in message
    news:%23c4fadGUEHA.556@tk2msftngp13.phx.gbl...
    > It helps a little. I had already found that article but it is an awfull lot
    > of work using almost exclusively unmanaged calls. More importantly, if I
    > read it correctly, it only checks if the issuer name exists in a store; this
    > is not secure as the issuer name can be forged quite easily. It should check
    > if the public key of the issuer (or the issuer's issuer, etc.) is in the
    > store. I believe that code like this can also be done managed using the WSE
    > (web services enhancements) from microsoft.
    >
    > Bas.
    >
    > "Michel Gallant" <neutron@istar.ca> wrote in message
    > news:%232tdtP%23TEHA.3404@TK2MSFTNGP10.phx.gbl...
    > > Note sure is this helps:
    > > http://www.jensign.com/JavaScience/dotnet/VerifyCertSigner
    > > - Mitch Gallant
    > > MVP Security
    > >
    > ...
    >
    >

  • Next message: Michel Gallant: "Re: How to verify CA for a X.509 certificate"

    Relevant Pages

    • Re: How do you associate private key with import cert?
      ... IE certificates panel and Certs snapin use. ... panel is that the IE display is filtered (i.e. in MY store, ... and select to include the private key (only possible if the private key has ...
      (microsoft.public.dotnet.security)
    • Re: importing certificate into "my" store
      ... The usual place to install others certificates (not including root CA certs) is in the "Other" ... certificate store. ... an associated private key, and which are invalid for other reasons (however MMC Certs SnapIn ...
      (microsoft.public.platformsdk.security)
    • Re: Enterprise root CA not re-trusted after manually deleted
      ... the AEDirectoryCache is the authoritative local copy of the AD and the client is not interested in the contents of the cert store at all. ... CA certs in AD). ... deleted root certs can automatically return or need a manual repair. ... When I then deleted the certificate manually from a computer's Trusted ...
      (microsoft.public.windows.server.security)
    • Re: My First JR Ultimate
      ... When I onced owned a retail store and accepted V,MC, and AE it would have ... Verifying the signature on the card is the FIRST step. ... If you refuse to sign it, they are supposed to refuse to accept it, and ...
      (alt.smokers.cigars)
    • [PATCH 3/3] move EDD code from i386-specific locations to generic
      ... * BIOS Enhanced Disk Drive support ... * disk signature read by Matt Domsch ... +# Read the first sector of device 80h and store the 4-byte signature ... +# A buffer of size EDDMAXNR*is reserved for our use ...
      (Linux-Kernel)
    • Quantcast