Nandana Mihindukulasooriya wrote: > Hi, > Created a jira issue on this. > http://issues.apache.org/jira/browse/RAMPART-94 > > I am currently working on this issue. Btw, this seems to trigger fairly > big change in related classes in Rampart and WSS4J. But IMHO, > I think it is worth changing the implementation.
Sure... go for it! Thanks, Ruchith > > Regards, > Nandana > > On 10/5/07, Ruchith Fernando <[EMAIL PROTECTED]> wrote: >> Yes agreed ... this is a bug in Rampart ... In the case where we use the >> SymmetricBinding the recipient has to use the ephemeral key sent by the >> initiator to derive keys. In the case where key derivation is not >> required the recipient should use the ephemeral key it self for >> signature and encryption. >> >> Nandana can you please raise a JIRA issue on this? >> >> Thanks, >> Ruchith >> >> Nandana Mihindukulasooriya wrote: >>> Hi, >>> In Ramaprt, when we use derived keys in a symmetric >> binding assertion >>> with X509Token, in client side >>> we create an encrypted key encrypted for servers certificate and use >> the >>> ephemeral key of that encrypted key >>> to create the DerivedKeys. When the server sends it's response back to >> the >>> client, it does the same, by creating >>> an encrypted key for the client certificate and using ephemeral key of >> that >>> encrypted key to create the DerivedKeys. >>> But this prevents the scenario that anonymous clients sending requests >> to >>> the service because we have to have the >>> clients certificate to create the encrypted key in the response. >>> This could be avoided if we use the same ephemeral key to create all >> the >>> derived keys in both request and the >>> response. In the response, we can provide a security token reference in >>> derived keys using a key identifier to >>> the encrypted key used in the request as defined in the section >>> 7.7Encrypted Key reference of the specification >>> wss 1.1 Soap Message Security. Is this the right way to go ? >>> >>> Regards, >>> Nandana >>> >> >> >> >> >
signature.asc
Description: OpenPGP digital signature
