Seems like this msg never made it to the list
--- Begin Message ---Hi,Nandana Mihindukulasooriya wrote: > Hi, > When username tokens are used as supporting tokens, is it > necessary to encrypt the username. It seems reasonable as > the password is plain text and can be captured in the transit. Yep, UT has to be encrypted in the above case. > When the username is a signed supporting token or signed > endorsing supporting token, does the protection order apply too? Good question. The problem here is in the encrypt before signature case. We will have to encrypt twice, first without the all other parts other than (endorsing/)signed supporting tokens (body, headers etc.) and then sign the message and parts including *supporting token and finally encrypt UT (and is signature encryption is required the main signature). The 1.2 spec [1] illustrates this Appendix : C.3 Asymmetric Binding (Page 107-113) Thanks, Ruchith 1. http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.doc
signature.asc
Description: OpenPGP digital signature
--- End Message ---
signature.asc
Description: OpenPGP digital signature
