Re: WSS/WSSP : Should Timestamp be considered signed when using TLS ?

[Colm O hEigeartaigh <co...@apache.org>]

Hi,

In my opinion, the current CXF behaviour is correct. The timestamp is
considered signed when using TLS, only when the "IncludeTimestamp" policy
assertion is defined for a TransportBinding policy. If you have an
AsymmetricBinding policy with an "IncludeTimestamp", the expectation is
that the Timestamp should be signed by the (Asymmetric) Signature.

In relation to your "draft" WS-SecurityPolicy spec question, using this
namespace should be strongly discouraged, the 1.3 namespace should be used
instead.

Colm.


On Mon, Dec 23, 2013 at 3:27 PM, slefebvre <si...@monext.net>wrote:

> Hello,
>
> We have a WS-Security policy defined with AsymmetricBinding,
> InitiatorSignatureToken and IncludeTimestamp, among others.
> This policy request a signature only on request message, not on response
> message.
>
> When using TLS with this policy, the client validation fail, as CXF
> consider
> the timestamp invalid since it isn't signed.
>
> To my understanding, "CXF considers a token 'signed' if it is received over
> TLS" (quote taken from CXF-5056).
> Is that true for the timestamp signature validation ?
> Should the timestamp be considered signed when using TLS ?
>
> On a side question, our partner (server side) ask us to use
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512 namespace for
> WSS-Policy. CXF seems to refuse this namespace (since it's a draft I
> suppose). Should I enforce the 2007 namespace use on their side ? Is it
> valid to use a draft ?
>
> Thanks for any response.
> Simon
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/WSS-WSSP-Should-Timestamp-be-considered-signed-when-using-TLS-tp5738177.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com