Hi, Created a jira issue on this. http://issues.apache.org/jira/browse/RAMPART-94
I am currently working on this issue. Btw, this seems to trigger fairly big change in related classes in Rampart and WSS4J. But IMHO, I think it is worth changing the implementation. Regards, Nandana On 10/5/07, Ruchith Fernando <[EMAIL PROTECTED]> wrote: > > Yes agreed ... this is a bug in Rampart ... In the case where we use the > SymmetricBinding the recipient has to use the ephemeral key sent by the > initiator to derive keys. In the case where key derivation is not > required the recipient should use the ephemeral key it self for > signature and encryption. > > Nandana can you please raise a JIRA issue on this? > > Thanks, > Ruchith > > Nandana Mihindukulasooriya wrote: > > Hi, > > In Ramaprt, when we use derived keys in a symmetric > binding assertion > > with X509Token, in client side > > we create an encrypted key encrypted for servers certificate and use > the > > ephemeral key of that encrypted key > > to create the DerivedKeys. When the server sends it's response back to > the > > client, it does the same, by creating > > an encrypted key for the client certificate and using ephemeral key of > that > > encrypted key to create the DerivedKeys. > > But this prevents the scenario that anonymous clients sending requests > to > > the service because we have to have the > > clients certificate to create the encrypted key in the response. > > This could be avoided if we use the same ephemeral key to create all > the > > derived keys in both request and the > > response. In the response, we can provide a security token reference in > > derived keys using a key identifier to > > the encrypted key used in the request as defined in the section > > 7.7Encrypted Key reference of the specification > > wss 1.1 Soap Message Security. Is this the right way to go ? > > > > Regards, > > Nandana > > > > > > >
