Martin,
thats the way it works. Its nit a very secure way, but
the security is achived by the way the secrect key used
to sign is produced.
This is a spec that Microsoft uses. The secret key is
composed of the password, the created timestamp, a fixed
text string and a nonce (random number). It is not
save to use this key for encryption but is fair enough
to use it for signature because the created time and the nonce
changes for every signature.
With this technique you can only prove that the document was
not modified during transfer, but not prove that it comes from
a specific client. To do so the client as well as the server
needs to keep trak of the secret keys. The application (server)
can do this because all necessary information is deliverd
to the service.
This is not done yet for the client.
Regards,
Werner
Martin Stemplinger schrieb:
Werner Dittmann schrieb am 06/11/2005 09:24 AM:
For an example how to use it and how the action parameters shall be
used pls have a look into the interop/**/oasis/ directories and in
the files client_deploy.wsdd and ping/deploy.wsdd. The scenario
ping2a is the correct one.
Regards,
Werner
Werner,
with your kind help I got it working. Thanks! But I'm a bit surprised
that client uses a cleartype password even though I gave the parameter
to use PasswordDigest. Is this a bug or feature?
Cheers
Martin
