In terms of production use, I think that the Synapse user would like to be able to configure exactly which certificate should be used for a specific endpoint. I'm not sure I agree that different endpoints are likely to have different CAs. That is true in the self-signed case, but in the case of Verisign it might not be. Another use case is the PEPPOL infrastructure (http://peppol.eu) , where there will be many endpoints sharing a common CA.
Paul On Tue, Jul 21, 2009 at 10:55 AM, Andreas Veithen<[email protected]> wrote: > On Tue, Jul 21, 2009 at 11:30, Oleg Kalnichevski<[email protected]> wrote: >> On Tue, Jul 21, 2009 at 11:22:58AM +0200, Andreas Veithen wrote: >>> > Well, if not through different stores, how can we let the KeyManager know >>> > what cert to use for this particular endpoint? >>> >>> If I remember well, this is how it works: during the handshake, the >>> server presents a list of trusted CAs to the client. The client than >>> selects the certificate that is signed (directly or indirectly) by >>> that CA and uses that to authenticate. I'm pretty sure this is what >>> happens when you create a java.net.URL with the https scheme and call >>> openConnection on it. Since behind the scene this uses an SSLContext, >>> chances are high that it also works with our HTTPS transport (or that >>> it would be pretty easy to make it work). >>> >>> Of course this only satisfies the requirement if the two endpoints use >>> different CAs, which should be the usual case. >>> >>> Andreas >>> >> >> Hi Andreas >> >> I may be wrong about it but I believe the client can present whatever client >> cert it pleases. That cert does not _have_ to be signed by one of the trusted >> CA certs sent to client by the server. For instance, common browsers simply >> pop >> up a UI dialog and let you pick any client certificate available in the >> certificate store, if the server requests client authentication in the course >> of SSL context negotiation. >> >> Oleg >> > > That is possible, but it is only relevant for a scheme where the > consumer of the service creates a certificate himself (typically a > self-signed certificate) and somehow registers that with the provider > of the service. This implies that the provider has to manage a list of > recognized client certificates to authenticate the client. I don't > think that is a usual scheme for Web services (BTW, how would you do > that with Axis2?), but that it is more usual for the provider to issue > certificates to the consumer, so that authentication is based on the > signature on the client certificate. But again, this is a question > about the requirements. > > Andreas > >> >> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- Paul Fremantle Co-Founder and CTO, WSO2 Apache Synapse PMC Chair OASIS WS-RX TC Co-chair blog: http://pzf.fremantle.org [email protected] "Oxygenating the Web Service Platform", www.wso2.com --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
