Yes agreed ... this is a bug in Rampart ... In the case where we use the SymmetricBinding the recipient has to use the ephemeral key sent by the initiator to derive keys. In the case where key derivation is not required the recipient should use the ephemeral key it self for signature and encryption.
Nandana can you please raise a JIRA issue on this? Thanks, Ruchith Nandana Mihindukulasooriya wrote: > Hi, > In Ramaprt, when we use derived keys in a symmetric binding assertion > with X509Token, in client side > we create an encrypted key encrypted for servers certificate and use the > ephemeral key of that encrypted key > to create the DerivedKeys. When the server sends it's response back to the > client, it does the same, by creating > an encrypted key for the client certificate and using ephemeral key of that > encrypted key to create the DerivedKeys. > But this prevents the scenario that anonymous clients sending requests to > the service because we have to have the > clients certificate to create the encrypted key in the response. > This could be avoided if we use the same ephemeral key to create all the > derived keys in both request and the > response. In the response, we can provide a security token reference in > derived keys using a key identifier to > the encrypted key used in the request as defined in the section > 7.7Encrypted Key reference of the specification > wss 1.1 Soap Message Security. Is this the right way to go ? > > Regards, > Nandana >
signature.asc
Description: OpenPGP digital signature
