Validation and Security Considerations
When validating an XML Signature, a procedure called Core Validation is followed.
- Reference Validation: Each Reference's digest is verified by retrieving the corresponding resource and applying any transforms and then the specified digest method to it. The result is compared to the recorded DigestValue; if they do not match, validation fails.
- Signature Validation: The SignedInfo element is serialized using the canonicalization method specified in CanonicalizationMethod, the key data is retrieved using KeyInfo or by other means, and the signature is verified using the method specified in SignatureMethod.
This procedure establishes whether the resources were really signed by the alleged party. However, because of the extensibility of the canonicalization and transform methods, the verifying party must also make sure that what was actually signed or digested is really what was present in the original data, in other words, that the algorithms used there can be trusted not to change the meaning of the signed data.
Read more about this topic: XML Signature
Famous quotes containing the word security:
“Of course we will continue to work for cheaper electricity in the homes and on the farms of America; for better and cheaper transportation; for low interest rates; for sounder home financing; for better banking; for the regulation of security issues; for reciprocal trade among nations and for the wiping out of slums. And my friends, for all of these we have only begun to fight.”
—Franklin D. Roosevelt (1882–1945)