Hi, In my opinion, the current CXF behaviour is correct. The timestamp is considered signed when using TLS, only when the "IncludeTimestamp" policy assertion is defined for a TransportBinding policy. If you have an AsymmetricBinding policy with an "IncludeTimestamp", the expectation is that the Timestamp should be signed by the (Asymmetric) Signature.
In relation to your "draft" WS-SecurityPolicy spec question, using this namespace should be strongly discouraged, the 1.3 namespace should be used instead. Colm. On Mon, Dec 23, 2013 at 3:27 PM, slefebvre <[email protected]>wrote: > Hello, > > We have a WS-Security policy defined with AsymmetricBinding, > InitiatorSignatureToken and IncludeTimestamp, among others. > This policy request a signature only on request message, not on response > message. > > When using TLS with this policy, the client validation fail, as CXF > consider > the timestamp invalid since it isn't signed. > > To my understanding, "CXF considers a token 'signed' if it is received over > TLS" (quote taken from CXF-5056). > Is that true for the timestamp signature validation ? > Should the timestamp be considered signed when using TLS ? > > On a side question, our partner (server side) ask us to use > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512 namespace for > WSS-Policy. CXF seems to refuse this namespace (since it's a draft I > suppose). Should I enforce the 2007 namespace use on their side ? Is it > valid to use a draft ? > > Thanks for any response. > Simon > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/WSS-WSSP-Should-Timestamp-be-considered-signed-when-using-TLS-tp5738177.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
