Hi Paul,
On 1/3/07, Paul Fremantle <[EMAIL PROTECTED]> wrote:
Ruchith
From your description above, it seems like in the case of
X509KeyIdentifier and DirectReference the actual cert is included in
the message and in the case of SKIKeyIdentifier, IssuerSerial and
ThumbPrint, the cert needs to be in the server's keystore or LDAP.
I think I can see that SKIKeyIdentifier, IssuerSerial and ThumbPrint
are just three different ways of looking up the certificate in the
store. Am I right?
Yes
However, I don't understand the difference between X509KeyIdentifier
and DirectReference. Can you explain that please!?
X509KeyIdentifier :
This is the case where a SecurityTokenRefernce uses a
wsse:KeyIdentifier element to refer to a key.
DirectReference :
This is where a SecurityTokenRefernce uses a "wsse:Reference" element
to refer to a security token.
Please see Sections 7.2 and 7.3 of [1]
Thanks,
Ruchith
[1]
https://svn.apache.org/repos/asf/webservices/wss4j/trunk/specs/wss-v1.1-spec-os-SOAPMessageSecurity.pdf
Paul
On 1/3/07, Ruchith Fernando <[EMAIL PROTECTED]> wrote:
> Hi,
>
> On 12/21/06, Ali Sadik Kumlali <[EMAIL PROTECTED]> wrote:
> > Hi folks,
> >
> > I have many clients sending messages signed with their own certificates.
So, I stored their public certificates in a keystore. After;
> > - Looking x509-token-profile-1.0 spec[1]
> > - Reading the related mail[2]
> > - Reading the "Secure Message Exchanges with Multiple Users" article in
WS20[3]
> >
> >
> > still need to understand what the differences are between X509KeyIdentifier
and SKIKeyIdentifier?
>
> X509KeyIdentifier is used to refer to a cert. And in this case the
> base64 encoded cert is included directly within the key identifier
> element. This can be used when the endpoint that processes the message
> trust a certain CA and the users are expected to use certs that are
> signed by that trusted CA. Therefore signature with a trusted cert
> will be accepted. Note that the endpoint will not have to store all
> client certs in this case since they will be available in the message
> itself.
>
> SKIKeyIdentifier specifies the use of the "Subject Key Identifier"
> X.509 extension value as the mechanism to refer to the cert used to
> sign. In this case it should be noted that the endpoint that processes
> the message should have access to a store that holds the potential
> certificates so that the matching cert can be fetched (based on the
> SKI) to carryout signature verification.
> >
> > Both of them were accepted by the service without any change at the server side.
At client side, on the other hand, only change I made was setting
<signatureKeyIdentifier> in axis2.xml to either of X509KeyIdentifier or
SKIKeyIdentifier. I examined the SOAP headers for both and found a little difference[4].
> >
> > In this point some questions come to my mind:
> > 1) Which one should I use at the client side?
>
> This will be specified by the policy of the service or how you manage
> certs of trusted users at the service. See the explanation above.
>
> >
> > 2) Can we say one is more compatible(or widely used) than the other?
>
> Am not sure which one is most used but I think its purely a decision
> in configuring the service.
>
> >
> > 3) Can we say one is more secure than the other?
>
> IMHO both mechanisms are the same, since both of them are different
> ways of referring to public information (cert).
>
> >
> > 4) Should I consider other signatureKeyIdentifier types (DirectReference,
IssuerSerial, Thumbprint)?
>
> DirectReference is another case where you add the base64 encoded cert
> into the message. And IssuerSerial and Thumbprint both requires you to
> make sure the endpoint that processes the message has access to the
> certs in its store. Also note that thumbprint ref is introduced only
> in WS-Sec-1.1
>
> > 5) Should I just get a sleep and read all the docs again? :)
>
> I guess you had your sleep :-) Sorry about the delay in my response.
>
> Thanks,
> Ruchith
>
> >
> > Regards,
> >
> > Ali Sadik Kumlali
> >
> >
> > [1]
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0.pdf
> > [2]
http://mail-archives.apache.org/mod_mbox/ws-wss4j-dev/200607.mbox/[EMAIL PROTECTED]
> > [3] http://www.wso2.net/tutorials/rampart/java/2006/09/06/sec-msg-exchg
> > [4]
> >
> > X509KeyIdentifier:
> > ------------------
> >
> > <wsse:KeyIdentifier
> >
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";;
> >
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";;>
> >
MIIDCjCCAfKgAwIBAgIQYDju2/6sm77InYfTq65x+DANBgkqhkiG9w0BAQUFADAwMQ4wDAYDVQQKDAVPQVNJUzEeMBwGA1UEAwwVT0FTSVMgSW50ZXJvcCBUZXN0IENBMB4XDTA1MDMxOTAwMDAwMFoXDTE4MDMxOTIzNTk1OVowQDEOMAwGA1UECgwFT0FTSVMxIDAeBgNVBAsMF09BU0lTIEludGVyb3AgVGVzdCBDZXJ0MQwwCgYDVQQDDANCb2IwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMCquMva4lFDrv3fXQnKK8CkSU7HvVZ0USyJtlL/yhmHH/FQXHyYY+fTcSyWYItWJYiTZ99PAbD+6EKBGbdfuJNUJCGaTWc5ZDUISqM/SGtacYe/PD/4+g3swNPzTUQAIBLRY1pkr2cm3s5Ch/f+mYVNBR41HnBeIxybw25kkoM7AgMBAAGjgZMwgZAwCQYDVR0TBAIwADAzBgNVHR8ELDAqMCiiJoYkaHR0cDovL2ludGVyb3AuYmJ0ZXN0Lm5ldC9jcmwvY2EuY3JsMA4GA1UdDwEB/wQEAwIEsDAdBgNVHQ4EFgQUXeg55vRyK3ZhAEhEf+YT0z986L0wHwYDVR0jBBgwFoAUwJ0o/MHrNaEd1qqqoBwaTcJJDw8wDQYJKoZIhvcNAQEFBQADggEBAIiVGv2lGLhRvmMAHSlY7rKLVkv+zEUtSyg08FBT8z/RepUbtUQShcIqwWsemDU8JVtsucQLc+g6GCQXgkCkMiC8qhcLAt3BXzFmLxuCEAQeeFe8IATr4wACmEQE37TEqAuWEIanPYIplbxYgwP0OBWBSjcRpKRAxjEzuwObYjbll6vKdFHYIweWhhWPrefquFp7TefTkF4D3rcctTfWJ76I5NrEVld+7PBnnJNpdDEuGsoaiJrwTW3Ixm40RXvG3fYS4hIAPeTCUk3RkYfUkqlaaLQnUrF2hZSgiBNLPe8gGkYORccRIlZCGQDEpcWl1Uf9OHw6fC+3hkqolFd5CVI=
> > </wsse:KeyIdentifier>
> >
> > SKIKeyIdentifier:
> > -----------------
> > <wsse:KeyIdentifier
> >
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";;
> >
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier";;>
> > Xeg55vRyK3ZhAEhEf+YT0z986L0=
> > </wsse:KeyIdentifier>
> >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
>
> --
> www.ruchith.org
> www.wso2.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
--
Paul Fremantle
VP/Technology, WSO2 and OASIS WS-RX TC Co-chair
http://bloglines.com/blog/paulfremantle
[EMAIL PROTECTED]
"Oxygenating the Web Service Platform", www.wso2.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
www.ruchith.org
www.wso2.org
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
