Werner, As I understand it, it's not from one specification, but a new thingy based on parts from several specifications, WS-Security and WS-Trust, and maybe even WS-Secure Conversation. The best piece of evidence was from "herveyw's blog" [1]. If i get it right the "Basic Security Profile Version 1.0" [2] confirms this with this quote:
<quote> The Username Token profile does not currently define a key derivation algorithm. The OASIS WSS TC is expected to address this issue in a subsequent specification. </quote> Regards Brian [1] http://www.dynamic-cast.com/mt-archives/000019.html [2] http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html#Key_Derivation -----Original Message----- From: Dittmann, Werner [mailto:[EMAIL PROTECTED] Sent: 17. juni 2005 08:03 To: Werner Dittmann; [EMAIL PROTECTED] Cc: [email protected] Subject: AW: How to configure UsernameTokenSignature Martin, this "Signature with UsernameToken" functions was more or less reverse engineered, we hadn't any specification at hand. Therefore it could be that some actions/behaviour is not completely correct. Do you have, by any chance, the original specification? Does anybody who reads the mail has the "official" spec for this function? Regards, Werner > -----Ursprüngliche Nachricht----- > Von: Werner Dittmann [mailto:[EMAIL PROTECTED] > Gesendet: Donnerstag, 16. Juni 2005 22:54 > An: [EMAIL PROTECTED] > Cc: [email protected] > Betreff: Re: How to configure UsernameTokenSignature > > > Martin, > > thats the way it works. Its nit a very secure way, but the security is > achived by the way the secrect key used to sign is produced. > > This is a spec that Microsoft uses. The secret key is composed of the > password, the created timestamp, a fixed text string and a nonce > (random number). It is not save to use this key for encryption but is > fair enough to use it for signature because the created time and the > nonce changes for every signature. > > With this technique you can only prove that the document was not > modified during transfer, but not prove that it comes from a specific > client. To do so the client as well as the server needs to keep trak > of the secret keys. The application (server) can do this because all > necessary information is deliverd to the service. > > This is not done yet for the client. > > Regards, > Werner > > Martin Stemplinger schrieb: > > Werner Dittmann schrieb am 06/11/2005 09:24 AM: > > > >> For an example how to use it and how the action parameters shall be > >> used pls have a look into the interop/**/oasis/ directories and in > >> the files client_deploy.wsdd and ping/deploy.wsdd. The scenario > >> ping2a is the correct one. > >> > >> Regards, > >> Werner > >> > > Werner, > > > > with your kind help I got it working. Thanks! But I'm a bit > surprised > > that client uses a cleartype password even though I gave > the parameter > > to use PasswordDigest. Is this a bug or feature? > > > > Cheers > > Martin > > > >
