XML signature - reasons to sign KeyInfo element

Question

According to XML Signature Specification (3.2.2 "Signature Validation"), KeyInfo element may be signed:

"Note, KeyInfo (or some transformed version thereof) may be signed via a Reference element."

Here we can see an example of xml with such signature.

Are there any reasons to sign the certificate by itself?

What security risks does it eliminate?

Answer 1

Take a look at this clarifying section about attribute signingCertificate in XAdES. ETSI XAdES is built on top of XMLDSig to stablish the requirements of advanced signatures that remain valid over long periods

signingCertificate is mandatory when ds:KeyInfo is not present or does not contain the certificate used to sign, and serves the same purpose

7.2.2 The SigningCertificate element

In many real life environments users will be able to get from different CAs or even from the same CA, different certificates containing the same public key for different names. The prime advantage is that a user can use the same private key for different purposes. Multiple use of the private key is an advantage when a smart card is used to protect the private key, since the storage of a smart card is always limited. When several CAs are involved, each different certificate may contain a different identity, e.g. as a national or as an employee from a company. Thus when a private key is used for various purposes, the certificate is needed to clarify the context in which the private key was used when generating the signature. Where there is the possibility of multiple uses of private keys it is necessary for the signer to indicate to the verifier the precise certificate to be used.

Many current schemes simply add the certificate after the signed data and thus are subject to various substitution attacks. An example of a substitution attack is a "bad" CA that would issue a certificate to someone with the public key of someone else. If the certificate from the signer was simply appended to the signature and thus not protected by the signature, any one could substitute one certificate by another and the message would appear to be signed by some one else. In order to counter this kind of attack, the identifier of the certificate has to be protected by the digital signature from the signer.