If the token is included in the message, then my preference would be to use a DirectReference. This is the default if no specific Reference type is included. If the token is not in the message then IssuerSerial. Why don't you try experimenting with some of the tests? For example see the X509TokenTest in systests/ws-security-examples.
Colm. On Tue, Mar 11, 2014 at 4:11 PM, COURTAULT Francois < [email protected]> wrote: > Hello Colm, > > Let's say that I have to setup a policy for a web service using asymmetric > binding. According to you, what will be your choice between IssuerSerial, > KeyIdentifier and Thumbprint for referencing the X509 token ? > > And what if you have to order this list in term of preference, would the > order be, according to you: > 1) IssuerSerial > 2) Thumbprint > 3) KeyIdentifier > Or another order ? > > Best Regards. > > -----Original Message----- > From: Colm O hEigeartaigh [mailto:[email protected]] > Sent: mardi 11 mars 2014 16:57 > To: COURTAULT Francois > Cc: [email protected] > Subject: Re: Blur between secpolicy 1.2 and X509 Token profile > > IssuerSerial is also supported. It may be more performant to use > IssuerSerial over having to set up a MessageDigest object, although the > extra cost is probably dwarfed by the overall WS-Security performance cost. > > Colm. > > > On Tue, Mar 11, 2014 at 3:52 PM, COURTAULT Francois < > [email protected]> wrote: > > > Hello Colm, > > > > > > > > Thanks a lot for the answer. So it means that CXF doesn't support > > IssuerSerial and EmbeddedToken: right ? Any reason for that ? > > > > > > > > Additional question: any reason to choose one vs the other (perf, > > ....) between Thumbprint and KeyIdentifier? > > > > > > > > Best Regards. > > > > > > > > *From:* Colm O hEigeartaigh [mailto:[email protected]] > > *Sent:* mardi 11 mars 2014 15:38 > > *To:* COURTAULT Francois > > *Cc:* [email protected] > > *Subject:* Re: Blur between secpolicy 1.2 and X509 Token profile > > > > > > > > > > > > CXF supports referencing X.509 tokens via Thumbprint KeyIdentifier > > references. I don't know why a section on thumbprint references was > > removed from a draft version of the spec. > > > > Colm. > > > > > > > > On Tue, Mar 11, 2014 at 2:12 PM, COURTAULT Francois < > > [email protected]> wrote: > > > > Sorry to ask again but I haven't received any response yet ... > > > > Best Regards. > > > > -----Original Message----- > > From: COURTAULT Francois > > Sent: lundi 10 février 2014 10:35 > > To: '[email protected]' > > Cc: '[email protected]' > > Subject: RE: Blur between secpolicy 1.2 and X509 Token profile > > > > Hello guys, > > > > Any answer to my question ? > > > > Best Regards. > > > > -----Original Message----- > > From: COURTAULT Francois > > Sent: mercredi 5 février 2014 12:22 > > To: [email protected] > > Subject: Blur between secpolicy 1.2 and X509 Token profile > > > > Hello everyone, > > > > I am a little bit lost because In the security policy spec v1.2 ( > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securityp > > olicy-1.2-spec-os.html), there are several ways to reference a > > X509Token (§5.4.3) which are allowed: > > * <sp:RequireKeyIdentifierReference ... /> ? > > * <sp:RequireIssuerSerialReference ... /> ? > > * <sp:RequireEmbeddedTokenReference ... /> ? > > * <sp:RequireThumbprintReference ... /> ? > > > > But in the X509 Certificate Token Profile 1.1 draft ( > > https://www.oasis-open.org/committees/download.php/13383/wss-v1.1-spec > > -pr-x509TokenProfile-01.htm#_Toc105230346), > > the thumbprint references is described (§3.2.4) whereas in the final > > specs either at > > http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-x509TokenProfile. > > pdfor at > > http://docs.oasis-open.org/wss-m/wss/v1.1.1/wss-x509TokenProfile-v1.1. > > 1.html, > > this section has disappeared. > > > > Do you know any reason for that ? Is the thumbprint reference still > > supported by the spec ? > > > > Best Regards. > > > > This message and any attachments are intended solely for the > > addressees and may contain confidential information. Any unauthorized > > use or disclosure, either whole or partial, is prohibited. > > E-mails are susceptible to alteration. Our company shall not be liable > > for the message if altered, changed or falsified. If you are not the > > intended recipient of this message, please delete it and notify the > sender. > > Although all reasonable efforts have been made to keep this > > transmission free from viruses, the sender will not be liable for > > damages caused by a transmitted virus > > > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > > ------------------------------ > > This message and any attachments are intended solely for the > > addressees and may contain confidential information. Any unauthorized > > use or disclosure, either whole or partial, is prohibited. > > E-mails are susceptible to alteration. Our company shall not be liable > > for the message if altered, changed or falsified. If you are not the > > intended recipient of this message, please delete it and notify the > sender. > > Although all reasonable efforts have been made to keep this > > transmission free from viruses, the sender will not be liable for > > damages caused by a transmitted virus > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > > This message and any attachments are intended solely for the addressees > and may contain confidential information. Any unauthorized use or > disclosure, either whole or partial, is prohibited. > E-mails are susceptible to alteration. Our company shall not be liable for > the message if altered, changed or falsified. If you are not the intended > recipient of this message, please delete it and notify the sender. > Although all reasonable efforts have been made to keep this transmission > free from viruses, the sender will not be liable for damages caused by a > transmitted virus > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
