Well, there's a bootstrapping problem, from a security point of view.
You'd presumably want to use the HTTP/S protocol to retrieve your
keystore, as you would then have some assurance that the keys are you
loading are from a trustworthy source. But then you'd need a locally
defined trust store, so that you can establish trust with your HTTP
server, after the SSL handshake. So at least these certs would need
to be defined locally.
Moreover, if the keystores contain private keys, you may not want
these accessible to any old user (e.g., off-line dictionary or brute
force attacks), so in many cases you'd want to provide some sort of
client authentication to the server. For HTTP/S, your choices are
username/password (over http), or TLS client authentication, which
again would require locally defined keys and certificates.
So, I'm not sure how useful this feature would be. On the one hand,
it would allow you to centralize the location of key and certificate
material needed for the actual WS-Security work; on the other, you'd
still have a key distribution problem this feature would not easily be
able to work around.
-Fred
On Jul 8, 2008, at 3:21 AM, Chefo wrote:
Hi guys,
I have a use case where I need to access a keystore over http. I
noticed that the AbstractCrypto class
(org.apache.ws.security.components.crypto.AbstractCrypto) only looks
for the keystore resource on the classpath and if not found -
assumes it's a file on the file system. Do you think it would be a
useful feature for the abstract crypto to be able to load the
keystore directly from an url as well? If you are interested I could
submit a patch proposal for it...
Regards,
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
