172 Chapter 5 • XML Digital Signatures one  page. (Let’s assume for this scenario that the tamperer knows how to preserve a file timestamp and checksum.) Without the manifest approach, all the Webmaster knows is that some page somewhere has been tampered with. Using a manifest, the Webmaster knows exactly which page has been tampered with. Establishing Identity By Using X509 In everything that we have discussed so far the identity of the signer is established by the fact that signer has provided the key to the signature verifier through some external means.This is not a problem if we are using the signatures inter- nally or between two parties that have already established a relationship. But what about a situation where the two parties have never met before, such as what typi- cally happens in an e-commerce scenario? The solution to establishing the iden- tity of the signer for this case is for the signer to have the key,“notarized” by a trusted third party and to attach the notarization information to the signature. It is exactly this process that is handled by the X509 mechanism which is typically used for Web servers that are handling e-commerce.The key is sent to a Certificate Authority (CA) that will sign the key with its own signature once it has satisfied itself with the establishment of your identity.The CA will then return a copy of the certificate to the signer. Once we have a valid certificate, we can generate an XML Digital signature that incorporates an X509 certificate by adding a <X509Data> element to the <KeyInfo> element in the signature template: <KeyInfo> <X509Data/> <KeyValue/> </KeyInfo> When the signature is generated the X509Data element is filled in with the information from the CA: <KeyInfo> <X509Data> <X509Certificate>MIICmjCCAkSgAwIBAgIBBzANBgkqhkiG9w0BAQQFADCBvTELMAkGA1UE BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCE1vbnRlcmV5MSAwHgYDVQQKE xdUYXlnZXRhIFNjaWVudGlmaWMgSW5jLjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aW NlcyBEaXZpc2lvbjEZMBcGA1UEAxMQdmVnYS50YXlnZXRhLmNvbTEfMB0GCSqGSIb3DQEJARY Qc2tpcEB0YXlnZXRhLmNvbTAeFw0wMjA2MDYwODIzMzJaFw0wMzA2MDYwODIzMzJaMDoxFzAV BgNVBAMTDkV2ZXJldHQgQ2FydGVyMR8wHQYJKoZIhvcNAQkBFhBza2lwQHRheWdldGEuY29tM www.syngress.com