Joval has already undergone SCAP 1.3 certification, so it may be helpful if I comment on our experience/approach.
Joval has the ability to read X.509 certificates that are embedded in XML digital signatures. It also has the ability for users to provide a certificate key store, where it can look up named certificates to retrieve public keys. The KeyStore must also contain the public keys for root certificates appearing in certificate chains, or else validation will fail. In practice, the validation content all embeds the certificates in the XML.
The question of whether or not an end-user actually wants to trust a particular signer is… left as an exercise for them to solve. Our contract as a validated module, we believe, is only to insure that the XML wasn’t tampered with since being signed, which happens to also be all that is explicitly required by the certification program.
> To post to this group, send email to scap...@list.nist.gov
> To unsubscribe from this group, send email to scap-dev+u...@list.nist.gov
> Visit this group at https://list.nist.gov/scap-dev
> --- To unsubscribe from this group and stop receiving emails from it, send an email to scap-dev+u...@list.nist.gov