Excellent explanations as always! I love this dream :) Thank you Ruchith. Regards,
Ali Sadik Kumlali ----- Original Message ---- From: Ruchith Fernando <[EMAIL PROTECTED]> To: [email protected] Sent: Wednesday, January 3, 2007 12:16:11 PM Subject: Re: [Axis2][Rampart] What are the differences between X509KeyIdentifier and SKIKeyIdentifier? Hi Paul, On 1/3/07, Paul Fremantle <[EMAIL PROTECTED]> wrote: > Ruchith > > From your description above, it seems like in the case of > X509KeyIdentifier and DirectReference the actual cert is included in > the message and in the case of SKIKeyIdentifier, IssuerSerial and > ThumbPrint, the cert needs to be in the server's keystore or LDAP. > > I think I can see that SKIKeyIdentifier, IssuerSerial and ThumbPrint > are just three different ways of looking up the certificate in the > store. Am I right? Yes > > However, I don't understand the difference between X509KeyIdentifier > and DirectReference. Can you explain that please!? X509KeyIdentifier : This is the case where a SecurityTokenRefernce uses a wsse:KeyIdentifier element to refer to a key. DirectReference : This is where a SecurityTokenRefernce uses a "wsse:Reference" element to refer to a security token. Please see Sections 7.2 and 7.3 of [1] Thanks, Ruchith [1] https://svn.apache.org/repos/asf/webservices/wss4j/trunk/specs/wss-v1.1-spec-os-SOAPMessageSecurity.pdf > > Paul > > On 1/3/07, Ruchith Fernando <[EMAIL PROTECTED]> wrote: > > Hi, > > > > On 12/21/06, Ali Sadik Kumlali <[EMAIL PROTECTED]> wrote: > > > Hi folks, > > > > > > I have many clients sending messages signed with their own certificates. > > > So, I stored their public certificates in a keystore. After; > > > - Looking x509-token-profile-1.0 spec[1] > > > - Reading the related mail[2] > > > - Reading the "Secure Message Exchanges with Multiple Users" article in > > > WS20[3] > > > > > > > > > still need to understand what the differences are between > > > X509KeyIdentifier and SKIKeyIdentifier? > > > > X509KeyIdentifier is used to refer to a cert. And in this case the > > base64 encoded cert is included directly within the key identifier > > element. This can be used when the endpoint that processes the message > > trust a certain CA and the users are expected to use certs that are > > signed by that trusted CA. Therefore signature with a trusted cert > > will be accepted. Note that the endpoint will not have to store all > > client certs in this case since they will be available in the message > > itself. > > > > SKIKeyIdentifier specifies the use of the "Subject Key Identifier" > > X.509 extension value as the mechanism to refer to the cert used to > > sign. In this case it should be noted that the endpoint that processes > > the message should have access to a store that holds the potential > > certificates so that the matching cert can be fetched (based on the > > SKI) to carryout signature verification. > > > > > > Both of them were accepted by the service without any change at the > > > server side. At client side, on the other hand, only change I made was > > > setting <signatureKeyIdentifier> in axis2.xml to either of > > > X509KeyIdentifier or SKIKeyIdentifier. I examined the SOAP headers for > > > both and found a little difference[4]. > > > > > > In this point some questions come to my mind: > > > 1) Which one should I use at the client side? > > > > This will be specified by the policy of the service or how you manage > > certs of trusted users at the service. See the explanation above. > > > > > > > > 2) Can we say one is more compatible(or widely used) than the other? > > > > Am not sure which one is most used but I think its purely a decision > > in configuring the service. > > > > > > > > 3) Can we say one is more secure than the other? > > > > IMHO both mechanisms are the same, since both of them are different > > ways of referring to public information (cert). > > > > > > > > 4) Should I consider other signatureKeyIdentifier types (DirectReference, > > > IssuerSerial, Thumbprint)? > > > > DirectReference is another case where you add the base64 encoded cert > > into the message. And IssuerSerial and Thumbprint both requires you to > > make sure the endpoint that processes the message has access to the > > certs in its store. Also note that thumbprint ref is introduced only > > in WS-Sec-1.1 > > > > > 5) Should I just get a sleep and read all the docs again? :) > > > > I guess you had your sleep :-) Sorry about the delay in my response. > > > > Thanks, > > Ruchith > > > > > > > > Regards, > > > > > > Ali Sadik Kumlali > > > > > > > > > [1] > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0.pdf > > > [2] > > > http://mail-archives.apache.org/mod_mbox/ws-wss4j-dev/200607.mbox/[EMAIL > > > PROTECTED] > > > [3] http://www.wso2.net/tutorials/rampart/java/2006/09/06/sec-msg-exchg > > > [4] > > > > > > X509KeyIdentifier: > > > ------------------ > > > > > > <wsse:KeyIdentifier > > > > > > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";;; > > > > > > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";;;> > > > > > > MIIDCjCCAfKgAwIBAgIQYDju2/6sm77InYfTq65x+DANBgkqhkiG9w0BAQUFADAwMQ4wDAYDVQQKDAVPQVNJUzEeMBwGA1UEAwwVT0FTSVMgSW50ZXJvcCBUZXN0IENBMB4XDTA1MDMxOTAwMDAwMFoXDTE4MDMxOTIzNTk1OVowQDEOMAwGA1UECgwFT0FTSVMxIDAeBgNVBAsMF09BU0lTIEludGVyb3AgVGVzdCBDZXJ0MQwwCgYDVQQDDANCb2IwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMCquMva4lFDrv3fXQnKK8CkSU7HvVZ0USyJtlL/yhmHH/FQXHyYY+fTcSyWYItWJYiTZ99PAbD+6EKBGbdfuJNUJCGaTWc5ZDUISqM/SGtacYe/PD/4+g3swNPzTUQAIBLRY1pkr2cm3s5Ch/f+mYVNBR41HnBeIxybw25kkoM7AgMBAAGjgZMwgZAwCQYDVR0TBAIwADAzBgNVHR8ELDAqMCiiJoYkaHR0cDovL2ludGVyb3AuYmJ0ZXN0Lm5ldC9jcmwvY2EuY3JsMA4GA1UdDwEB/wQEAwIEsDAdBgNVHQ4EFgQUXeg55vRyK3ZhAEhEf+YT0z986L0wHwYDVR0jBBgwFoAUwJ0o/MHrNaEd1qqqoBwaTcJJDw8wDQYJKoZIhvcNAQEFBQADggEBAIiVGv2lGLhRvmMAHSlY7rKLVkv+zEUtSyg08FBT8z/RepUbtUQShcIqwWsemDU8JVtsucQLc+g6GCQXgkCkMiC8qhcLAt3BXzFmLxuCEAQeeFe8IATr4wACmEQE37TEqAuWEIanPYIplbxYgwP0OBWBSjcRpKRAxjEzuwObYjbll6vKdFHYIweWhhWPrefquFp7TefTkF4D3rcctTfWJ76I5NrEVld+7PBnnJNpdDEuGsoaiJrwTW3Ixm40RXvG3fYS4hIAPeTCUk3RkYfUkqlaaLQnUrF2hZSgiBNLPe8gGkYORccRIlZCGQDEpcWl1Uf9OHw6fC+3hkqolFd5CVI= > > > </wsse:KeyIdentifier> > > > > > > SKIKeyIdentifier: > > > ----------------- > > > <wsse:KeyIdentifier > > > > > > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";;; > > > > > > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier";;;> > > > Xeg55vRyK3ZhAEhEf+YT0z986L0= > > > </wsse:KeyIdentifier> > > > > > > > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Tired of spam? Yahoo! Mail has the best spam protection around > > > http://mail.yahoo.com > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > -- > > www.ruchith.org > > www.wso2.org > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > -- > Paul Fremantle > VP/Technology, WSO2 and OASIS WS-RX TC Co-chair > > http://bloglines.com/blog/paulfremantle > [EMAIL PROTECTED] > > "Oxygenating the Web Service Platform", www.wso2.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- www.ruchith.org www.wso2.org --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
