You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by slefebvre <si...@monext.net> on 2013/12/23 16:27:29 UTC
WSS/WSSP : Should Timestamp be considered signed when using TLS ?
Hello,
We have a WS-Security policy defined with AsymmetricBinding,
InitiatorSignatureToken and IncludeTimestamp, among others.
This policy request a signature only on request message, not on response
message.
When using TLS with this policy, the client validation fail, as CXF consider
the timestamp invalid since it isn't signed.
To my understanding, "CXF considers a token 'signed' if it is received over
TLS" (quote taken from CXF-5056).
Is that true for the timestamp signature validation ?
Should the timestamp be considered signed when using TLS ?
On a side question, our partner (server side) ask us to use
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512 namespace for
WSS-Policy. CXF seems to refuse this namespace (since it's a draft I
suppose). Should I enforce the 2007 namespace use on their side ? Is it
valid to use a draft ?
Thanks for any response.
Simon
--
View this message in context: http://cxf.547215.n5.nabble.com/WSS-WSSP-Should-Timestamp-be-considered-signed-when-using-TLS-tp5738177.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: WSS/WSSP : Should Timestamp be considered signed when using TLS ?
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi,
In my opinion, the current CXF behaviour is correct. The timestamp is
considered signed when using TLS, only when the "IncludeTimestamp" policy
assertion is defined for a TransportBinding policy. If you have an
AsymmetricBinding policy with an "IncludeTimestamp", the expectation is
that the Timestamp should be signed by the (Asymmetric) Signature.
In relation to your "draft" WS-SecurityPolicy spec question, using this
namespace should be strongly discouraged, the 1.3 namespace should be used
instead.
Colm.
On Mon, Dec 23, 2013 at 3:27 PM, slefebvre <si...@monext.net>wrote:
> Hello,
>
> We have a WS-Security policy defined with AsymmetricBinding,
> InitiatorSignatureToken and IncludeTimestamp, among others.
> This policy request a signature only on request message, not on response
> message.
>
> When using TLS with this policy, the client validation fail, as CXF
> consider
> the timestamp invalid since it isn't signed.
>
> To my understanding, "CXF considers a token 'signed' if it is received over
> TLS" (quote taken from CXF-5056).
> Is that true for the timestamp signature validation ?
> Should the timestamp be considered signed when using TLS ?
>
> On a side question, our partner (server side) ask us to use
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512 namespace for
> WSS-Policy. CXF seems to refuse this namespace (since it's a draft I
> suppose). Should I enforce the 2007 namespace use on their side ? Is it
> valid to use a draft ?
>
> Thanks for any response.
> Simon
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/WSS-WSSP-Should-Timestamp-be-considered-signed-when-using-TLS-tp5738177.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com