Hi Susan, > -----Original Message----- > From: Susan Liebeskind [mailto:[email protected]] > Sent: Dienstag, 15. Oktober 2013 14:07 > To: Andrei Shakirin > Subject: Re: CXF WS-Trust/WS-SecureConversation security policy questions > > Hi Andrei, > > I have tried 3 times to post this to the CXF list, and 3 times it has been > rejected as spam for no reason I can determine. I have been having this > problem since I joined the list, and mailed to [email protected], > but not gotten a response. Therefore, I am replying just to you...
Hmm ... this is a bit strange. > > But do you know who manages the list so I could figure out what could be > triggering this false positive from the Apache spam monitor? It's pretty > frustrating. The message I get looks like this... > > > > I'm sorry to inform you that the message below could not be delivered. > > When delivery was attempted, the following error was returned. > > > > > > <[email protected]>: host mx1.eu.apache.org[192.87.106.230] said: > 552 spam > > score (5.7) exceeded threshold > > > (HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSWL_NONE,SPF_PASS > (in reply to end > > of DATA command) > > -- snip snip snip - the post I cannot get on the list --- > I have no idea what happens. It seems that the number of emails from your account exceed threshold, but do not know why. Could you create appropriate issue for CXF project? > > Hi Andrei, > > > >> Do .NET clients play well with an XKMS server? Interoperability with > >> .NET clients is an important concern for me. > > I never tried XKMS in .Net, but as far as it is W3C standard, it should work > also with .Net: > > http://msdn.microsoft.com/en-us/library/ms972954.aspx > > http://www.w3.org/2001/07/xkms- > ws/dillaway/XKMSWorkshop_files/frame.ht > > m http://pages.infinit.net/ctech/xkms-part2.html > Yes but...it is not uncommon to have incompatible implementations of the > standards, as we all know too well from bitter personal experience. > Seeing how old some of these references are (one from July 2001), I am > rather dubious that we can assume the same level of support appears in > today's .NET 4.x Framework. Sure, it very probably require some testing, configuration/adaptation efforts. But XKMS seems to be the right way to get and validate the certificates in enterprise service environments. > > I say this having gotten burned badly on something that worked with .NET > 3.5 but not with .NET 4.0, something in the web service arena that Microsoft > apparently invented. The issue in question pertains to the > doc/literal/wrapped style of writing WSDL. While the historical record > suggests that doc/literal/wrapped was invented by Microsoft, as of .NET 4.0, > the Microsoft equiv of WSDL2Java cannot generate proxy code from a > doc/literal/wrapped WSDL. You have to "unwrap" the WSDL in order to get > generated code now. > > Point is: if Microsoft gave up on something they pushed into the web service > community, color me dubious they'd keep up with support for one of the > XML standards that never really gained much traction. > >> XKMS does sound interesting, but it > >> also sounds like XKMS would replace the certs issues by our existing > >> PKI, and that wouldn't work for us. > > XKMS doesn't replace PKI, but provide the façade for PKI: > > http://ashakirin.blogspot.de/2013/04/cxf-security-getting-certificates > > -from.html > > > > That means you can easily plug own lookup and validators into CXF XKMS > implementation which will speak with your PKI. > Easily is a matter of opinion - *nothing* involving PKI has ever proved easy > :- > ) > > For me, the potential risk of incompatible .NET issues, the use of an old > standard which doesn't have tons of support, compared with the cost of > having to distribute a few certificates (like we are already used to)..well, > it > tips the scale in terms of staying with what I have. I agree that what you > are > talking about sounds like good match on paper for my requirements, but the > tradeoff of time/energy/risk, I cannot recommend this approach for the > work I'm doing between now and November While I am curious to know if it > could be made to work, I'd have to do that on my own time, not company > time. > Ok, I understand your point. > Thanks, Andrei - I would never have even known about this option unless > you and Dennis hadn't brought it up. You are welcome! > > Cheers, > Susan Regards, Andrei.
