Server Side - Sender Encryption Question

[Richard Wareing <wa...@rewc.com>]

Is there a method of having the client request a particular encryption
key be used to encrypt the response data?

What I'm trying to do here is have each web service user submit to us
their public encryption key and use that to encrypt the data back to
them (in conjunction with signing).  In other words, depending on the
particular user that might be using the web service, we would use a
specific public key to encrypt data back to them.

Is there a way to accomplish this?

Richard Wareing
Reimer Technology Group


---
[This E-mail scanned for viruses by Declude Virus]


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

RE: Server Side - Sender Encryption Question

[Richard Wareing <wa...@rewc.com>]

Also if you embed the signing public cert in the request doesn't that
mean you can no longer control which clients have access to your web
service?  Since if you don't store it, you can authorize clients via the
fact that their public cert is stored in your keystore or not.

Or is there a better way to control access to your web service?  The
only other way I can think of is running your own CA and ensuring the
client's public cert is signed by your own CA.  Though I can't find docs
on how I can setup my own CA.  If I could do that I think I'd be
comfortable with using the signing public cert to encrypt data back.

Thanks in Advance,

Richard...


> -----Original Message-----
> From: Werner Dittmann [mailto:Werner.Dittmann@t-online.de]
> Sent: 2005 September 30 1:04 AM
> To: Richard Wareing
> Cc: 'Abdul Ashik'; 'Apache WSS4J-Dev Mailing List'
> Subject: Re: Server Side - Sender Encryption Question
> 
> Richard,
> 
> well, if you spend the effort to maintain all your client's certs
> you can do it, but with the help of your Web Service.
> 
> When receiving a request (signed or using UsernameToken) your
> web service can determine which client sent it (see some info
> in FAQ). Using this information you can setup the name (alias)
> to use for encryption (can be done programmatically). If
> you do so just don't specify this parameter in the server's
> WSDD file.
> 
> Examples how to setup parameters dynamically can be found
> in the testcases (test/interop/TestJAXRPCHandler).
> 
> Regards,
> Werner
> 
> Richard Wareing wrote:
> > Hi Abdul,
> >
> >
> >
> > Thanks for the response.  The solution looks quite elegant, however
> > won't using the useReqSigCert feature on the server's WSDoAllSender
> > cause the sender to encrypt using the same public key used to verify
the
> > requesters signature?  I was reading that it is best to use separate
> > key-pairs for signing & encryption (Ref:
> > http://www.washington.edu/computing/windows/issue22/encryption.html;
see
> > "Keys, Keys, and More Keys" ).
> >
> >
> >
> > That said, what is everyone's experience with this, is it overkill
to
> > complicate key management for the benefits they cite?
> >
> >
> >
> > Regards,
> >
> >
> >
> > Richard Wareing
> >
> > Reimer Technology Group
> >
> >
> >
> >
> >
> > -----Original Message-----
> > *From:* Abdul Ashik [mailto:abdul.ashik@gmail.com]
> > *Sent:* 2005 September 29 2:18 PM
> > *To:* Richard Wareing
> > *Cc:* Apache WSS4J-Dev Mailing List
> > *Subject:* Re: Server Side - Sender Encryption Question
> >
> >
> >
> > Hi Richard,
> >
> > Check out the WSS4J FAQ:
> >
> > http://wiki.apache.org/ws/FrontPage/WsFx/wss4jFAQ#many
> >
> > "To perform response encryption set the encryption user name to
> > "useReqSigCert". This is a special name that directs the
WSDoAllSender
> > handler to use the stored client's certificate (the clients public
key)
> > to perform response encryption."
> >
> > Cheers,
> > Ash
> >
> > On 9/29/05, *Richard Wareing* <wareing@rewc.com
> > <ma...@rewc.com>> wrote:
> >
> > Is there a method of having the client request a particular
encryption
> > key be used to encrypt the response data?
> >
> > What I'm trying to do here is have each web service user submit to
us
> > their public encryption key and use that to encrypt the data back to
> > them (in conjunction with signing).  In other words, depending on
the
> > particular user that might be using the web service, we would use a
> > specific public key to encrypt data back to them.
> >
> > Is there a way to accomplish this?
> >
> > Richard Wareing
> > Reimer Technology Group
> >
> >
> > ---
> > [This E-mail scanned for viruses by Declude Virus]
> >
> >
> >
---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > <ma...@ws.apache.org>
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> > <ma...@ws.apache.org>
> >
> >
> >
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> 
> ---
> [This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

RE: Server Side - Sender Encryption Question

[Richard Wareing <wa...@rewc.com>]

Also if you embed the signing public cert in the request doesn't that
mean you can no longer control which clients have access to your web
service?  Since if you don't store it, you can authorize clients via the
fact that their public cert is stored in your keystore or not.

Or is there a better way to control access to your web service?  The
only other way I can think of is running your own CA and ensuring the
client's public cert is signed by your own CA.  Though I can't find docs
on how I can setup my own CA.  If I could do that I think I'd be
comfortable with using the signing public cert to encrypt data back.

Thanks in Advance,

Richard...


> -----Original Message-----
> From: Werner Dittmann [mailto:Werner.Dittmann@t-online.de]
> Sent: 2005 September 30 1:04 AM
> To: Richard Wareing
> Cc: 'Abdul Ashik'; 'Apache WSS4J-Dev Mailing List'
> Subject: Re: Server Side - Sender Encryption Question
> 
> Richard,
> 
> well, if you spend the effort to maintain all your client's certs
> you can do it, but with the help of your Web Service.
> 
> When receiving a request (signed or using UsernameToken) your
> web service can determine which client sent it (see some info
> in FAQ). Using this information you can setup the name (alias)
> to use for encryption (can be done programmatically). If
> you do so just don't specify this parameter in the server's
> WSDD file.
> 
> Examples how to setup parameters dynamically can be found
> in the testcases (test/interop/TestJAXRPCHandler).
> 
> Regards,
> Werner
> 
> Richard Wareing wrote:
> > Hi Abdul,
> >
> >
> >
> > Thanks for the response.  The solution looks quite elegant, however
> > won't using the useReqSigCert feature on the server's WSDoAllSender
> > cause the sender to encrypt using the same public key used to verify
the
> > requesters signature?  I was reading that it is best to use separate
> > key-pairs for signing & encryption (Ref:
> > http://www.washington.edu/computing/windows/issue22/encryption.html;
see
> > "Keys, Keys, and More Keys" ).
> >
> >
> >
> > That said, what is everyone's experience with this, is it overkill
to
> > complicate key management for the benefits they cite?
> >
> >
> >
> > Regards,
> >
> >
> >
> > Richard Wareing
> >
> > Reimer Technology Group
> >
> >
> >
> >
> >
> > -----Original Message-----
> > *From:* Abdul Ashik [mailto:abdul.ashik@gmail.com]
> > *Sent:* 2005 September 29 2:18 PM
> > *To:* Richard Wareing
> > *Cc:* Apache WSS4J-Dev Mailing List
> > *Subject:* Re: Server Side - Sender Encryption Question
> >
> >
> >
> > Hi Richard,
> >
> > Check out the WSS4J FAQ:
> >
> > http://wiki.apache.org/ws/FrontPage/WsFx/wss4jFAQ#many
> >
> > "To perform response encryption set the encryption user name to
> > "useReqSigCert". This is a special name that directs the
WSDoAllSender
> > handler to use the stored client's certificate (the clients public
key)
> > to perform response encryption."
> >
> > Cheers,
> > Ash
> >
> > On 9/29/05, *Richard Wareing* <wareing@rewc.com
> > <ma...@rewc.com>> wrote:
> >
> > Is there a method of having the client request a particular
encryption
> > key be used to encrypt the response data?
> >
> > What I'm trying to do here is have each web service user submit to
us
> > their public encryption key and use that to encrypt the data back to
> > them (in conjunction with signing).  In other words, depending on
the
> > particular user that might be using the web service, we would use a
> > specific public key to encrypt data back to them.
> >
> > Is there a way to accomplish this?
> >
> > Richard Wareing
> > Reimer Technology Group
> >
> >
> > ---
> > [This E-mail scanned for viruses by Declude Virus]
> >
> >
> >
---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > <ma...@ws.apache.org>
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> > <ma...@ws.apache.org>
> >
> >
> >
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> 
> ---
> [This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

Re: Server Side - Sender Encryption Question

[Werner Dittmann <We...@t-online.de>]

Richard,

well, if you spend the effort to maintain all your client's certs
you can do it, but with the help of your Web Service.

When receiving a request (signed or using UsernameToken) your
web service can determine which client sent it (see some info
in FAQ). Using this information you can setup the name (alias)
to use for encryption (can be done programmatically). If
you do so just don't specify this parameter in the server's
WSDD file.

Examples how to setup parameters dynamically can be found
in the testcases (test/interop/TestJAXRPCHandler).

Regards,
Werner

Richard Wareing wrote:
> Hi Abdul,
> 
>  
> 
> Thanks for the response.  The solution looks quite elegant, however
> won’t using the useReqSigCert feature on the server’s WSDoAllSender
> cause the sender to encrypt using the same public key used to verify the
> requesters signature?  I was reading that it is best to use separate
> key-pairs for signing & encryption (Ref:
> http://www.washington.edu/computing/windows/issue22/encryption.html; see
> “Keys, Keys, and More Keys” ).
> 
>  
> 
> That said, what is everyone’s experience with this, is it overkill to
> complicate key management for the benefits they cite?
> 
>  
> 
> Regards,
> 
>  
> 
> Richard Wareing
> 
> Reimer Technology Group
> 
>  
> 
>  
> 
> -----Original Message-----
> *From:* Abdul Ashik [mailto:abdul.ashik@gmail.com]
> *Sent:* 2005 September 29 2:18 PM
> *To:* Richard Wareing
> *Cc:* Apache WSS4J-Dev Mailing List
> *Subject:* Re: Server Side - Sender Encryption Question
> 
>  
> 
> Hi Richard,
> 
> Check out the WSS4J FAQ:
> 
> http://wiki.apache.org/ws/FrontPage/WsFx/wss4jFAQ#many
> 
> "To perform response encryption set the encryption user name to
> "useReqSigCert". This is a special name that directs the WSDoAllSender
> handler to use the stored client's certificate (the clients public key)
> to perform response encryption."
> 
> Cheers,
> Ash
> 
> On 9/29/05, *Richard Wareing* <wareing@rewc.com
> <ma...@rewc.com>> wrote:
> 
> Is there a method of having the client request a particular encryption
> key be used to encrypt the response data?
> 
> What I'm trying to do here is have each web service user submit to us
> their public encryption key and use that to encrypt the data back to
> them (in conjunction with signing).  In other words, depending on the
> particular user that might be using the web service, we would use a
> specific public key to encrypt data back to them.
> 
> Is there a way to accomplish this?
> 
> Richard Wareing
> Reimer Technology Group
> 
> 
> ---
> [This E-mail scanned for viruses by Declude Virus]
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> <ma...@ws.apache.org>
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> <ma...@ws.apache.org>
> 
>  
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

Re: Server Side - Sender Encryption Question

[Werner Dittmann <We...@t-online.de>]

Richard,

well, if you spend the effort to maintain all your client's certs
you can do it, but with the help of your Web Service.

When receiving a request (signed or using UsernameToken) your
web service can determine which client sent it (see some info
in FAQ). Using this information you can setup the name (alias)
to use for encryption (can be done programmatically). If
you do so just don't specify this parameter in the server's
WSDD file.

Examples how to setup parameters dynamically can be found
in the testcases (test/interop/TestJAXRPCHandler).

Regards,
Werner

Richard Wareing wrote:
> Hi Abdul,
> 
>  
> 
> Thanks for the response.  The solution looks quite elegant, however
> won’t using the useReqSigCert feature on the server’s WSDoAllSender
> cause the sender to encrypt using the same public key used to verify the
> requesters signature?  I was reading that it is best to use separate
> key-pairs for signing & encryption (Ref:
> http://www.washington.edu/computing/windows/issue22/encryption.html; see
> “Keys, Keys, and More Keys” ).
> 
>  
> 
> That said, what is everyone’s experience with this, is it overkill to
> complicate key management for the benefits they cite?
> 
>  
> 
> Regards,
> 
>  
> 
> Richard Wareing
> 
> Reimer Technology Group
> 
>  
> 
>  
> 
> -----Original Message-----
> *From:* Abdul Ashik [mailto:abdul.ashik@gmail.com]
> *Sent:* 2005 September 29 2:18 PM
> *To:* Richard Wareing
> *Cc:* Apache WSS4J-Dev Mailing List
> *Subject:* Re: Server Side - Sender Encryption Question
> 
>  
> 
> Hi Richard,
> 
> Check out the WSS4J FAQ:
> 
> http://wiki.apache.org/ws/FrontPage/WsFx/wss4jFAQ#many
> 
> "To perform response encryption set the encryption user name to
> "useReqSigCert". This is a special name that directs the WSDoAllSender
> handler to use the stored client's certificate (the clients public key)
> to perform response encryption."
> 
> Cheers,
> Ash
> 
> On 9/29/05, *Richard Wareing* <wareing@rewc.com
> <ma...@rewc.com>> wrote:
> 
> Is there a method of having the client request a particular encryption
> key be used to encrypt the response data?
> 
> What I'm trying to do here is have each web service user submit to us
> their public encryption key and use that to encrypt the data back to
> them (in conjunction with signing).  In other words, depending on the
> particular user that might be using the web service, we would use a
> specific public key to encrypt data back to them.
> 
> Is there a way to accomplish this?
> 
> Richard Wareing
> Reimer Technology Group
> 
> 
> ---
> [This E-mail scanned for viruses by Declude Virus]
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> <ma...@ws.apache.org>
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> <ma...@ws.apache.org>
> 
>  
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

RE: Server Side - Sender Encryption Question

[Richard Wareing <wa...@rewc.com>]

Hi Abdul,

 

Thanks for the response.  The solution looks quite elegant, however
won't using the useReqSigCert feature on the server's WSDoAllSender
cause the sender to encrypt using the same public key used to verify the
requesters signature?  I was reading that it is best to use separate
key-pairs for signing & encryption (Ref:
http://www.washington.edu/computing/windows/issue22/encryption.html; see
"Keys, Keys, and More Keys" ).

 

That said, what is everyone's experience with this, is it overkill to
complicate key management for the benefits they cite?

 

Regards,

 

Richard Wareing

Reimer Technology Group

 

 

-----Original Message-----
From: Abdul Ashik [mailto:abdul.ashik@gmail.com] 
Sent: 2005 September 29 2:18 PM
To: Richard Wareing
Cc: Apache WSS4J-Dev Mailing List
Subject: Re: Server Side - Sender Encryption Question

 

Hi Richard,

Check out the WSS4J FAQ:

http://wiki.apache.org/ws/FrontPage/WsFx/wss4jFAQ#many

"To perform response encryption set the encryption user name to
"useReqSigCert". This is a special name that directs the WSDoAllSender
handler to use the stored client's certificate (the clients public key)
to perform response encryption."

Cheers,
Ash

On 9/29/05, Richard Wareing <wa...@rewc.com> wrote:

Is there a method of having the client request a particular encryption
key be used to encrypt the response data?

What I'm trying to do here is have each web service user submit to us
their public encryption key and use that to encrypt the data back to 
them (in conjunction with signing).  In other words, depending on the
particular user that might be using the web service, we would use a
specific public key to encrypt data back to them.

Is there a way to accomplish this? 

Richard Wareing
Reimer Technology Group


---
[This E-mail scanned for viruses by Declude Virus]


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

 

RE: Server Side - Sender Encryption Question

[Richard Wareing <wa...@rewc.com>]

Hi Abdul,

 

Thanks for the response.  The solution looks quite elegant, however
won't using the useReqSigCert feature on the server's WSDoAllSender
cause the sender to encrypt using the same public key used to verify the
requesters signature?  I was reading that it is best to use separate
key-pairs for signing & encryption (Ref:
http://www.washington.edu/computing/windows/issue22/encryption.html; see
"Keys, Keys, and More Keys" ).

 

That said, what is everyone's experience with this, is it overkill to
complicate key management for the benefits they cite?

 

Regards,

 

Richard Wareing

Reimer Technology Group

 

 

-----Original Message-----
From: Abdul Ashik [mailto:abdul.ashik@gmail.com] 
Sent: 2005 September 29 2:18 PM
To: Richard Wareing
Cc: Apache WSS4J-Dev Mailing List
Subject: Re: Server Side - Sender Encryption Question

 

Hi Richard,

Check out the WSS4J FAQ:

http://wiki.apache.org/ws/FrontPage/WsFx/wss4jFAQ#many

"To perform response encryption set the encryption user name to
"useReqSigCert". This is a special name that directs the WSDoAllSender
handler to use the stored client's certificate (the clients public key)
to perform response encryption."

Cheers,
Ash

On 9/29/05, Richard Wareing <wa...@rewc.com> wrote:

Is there a method of having the client request a particular encryption
key be used to encrypt the response data?

What I'm trying to do here is have each web service user submit to us
their public encryption key and use that to encrypt the data back to 
them (in conjunction with signing).  In other words, depending on the
particular user that might be using the web service, we would use a
specific public key to encrypt data back to them.

Is there a way to accomplish this? 

Richard Wareing
Reimer Technology Group


---
[This E-mail scanned for viruses by Declude Virus]


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

 

Re: Server Side - Sender Encryption Question

[Abdul Ashik <ab...@gmail.com>]

Hi Richard,

Check out the WSS4J FAQ:

http://wiki.apache.org/ws/FrontPage/WsFx/wss4jFAQ#many

"To perform response encryption set the encryption user name to
"useReqSigCert". This is a special name that directs the WSDoAllSender
handler to use the stored client's certificate (the clients public key) to
perform response encryption."

Cheers,
Ash

On 9/29/05, Richard Wareing <wa...@rewc.com> wrote:
>
> Is there a method of having the client request a particular encryption
> key be used to encrypt the response data?
>
> What I'm trying to do here is have each web service user submit to us
> their public encryption key and use that to encrypt the data back to
> them (in conjunction with signing). In other words, depending on the
> particular user that might be using the web service, we would use a
> specific public key to encrypt data back to them.
>
> Is there a way to accomplish this?
>
> Richard Wareing
> Reimer Technology Group
>
>
> ---
> [This E-mail scanned for viruses by Declude Virus]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>

Re: Server Side - Sender Encryption Question

[Abdul Ashik <ab...@gmail.com>]

Hi Richard,

Check out the WSS4J FAQ:

http://wiki.apache.org/ws/FrontPage/WsFx/wss4jFAQ#many

"To perform response encryption set the encryption user name to
"useReqSigCert". This is a special name that directs the WSDoAllSender
handler to use the stored client's certificate (the clients public key) to
perform response encryption."

Cheers,
Ash

On 9/29/05, Richard Wareing <wa...@rewc.com> wrote:
>
> Is there a method of having the client request a particular encryption
> key be used to encrypt the response data?
>
> What I'm trying to do here is have each web service user submit to us
> their public encryption key and use that to encrypt the data back to
> them (in conjunction with signing). In other words, depending on the
> particular user that might be using the web service, we would use a
> specific public key to encrypt data back to them.
>
> Is there a way to accomplish this?
>
> Richard Wareing
> Reimer Technology Group
>
>
> ---
> [This E-mail scanned for viruses by Declude Virus]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>

RE: Server Side - Sender Encryption Question

[Richard Wareing <wa...@rewc.com>]

I guess in CA speak, I'm asking whether or not an incoming embedded
client certificates can be checked against a CRL or Certificate
Revocation List, which would be updated periodically from a CA.

Richard...


> -----Original Message-----
> From: Richard Wareing [mailto:wareing@rewc.com]
> Sent: 2005 September 30 4:42 PM
> To: 'Abhijit Sharma'; 'Apache WSS4J-Dev Mailing List'
> Subject: RE: Server Side - Sender Encryption Question
> 
> Hi Abhijit,
> 
> So I got the signing and encryption working bi-directionally with the
> use of my own Certificate Authority (FYI a link on how to do this:
> http://www.devx.com/Java/Article/10185/1763/page/1).  Using the method
> suggested, I no longer need to store any certificates of the clients,
> since I can now check the embedded certificates to make sure they were
> signed by my CA.  And at the end of the day I now have a method of
> securely authorizing a web service client to access the web service.
> 
> My one remaining question is, say I know wish to revoke access to the
> web service.  Other than waiting for the web service client's signed
> key-pair to expire, how can I terminate this client's access to the
> service?  Would it be possible to check with the CA to see if the
user's
> signed certificate was revoked?
> 
> Richard Wareing
> Reimer Technology Group
> 
> 
> > -----Original Message-----
> > From: Abhijit Sharma [mailto:asharma@amberpoint.com]
> > Sent: 2005 September 29 11:53 PM
> > To: 'Richard Wareing'; 'Apache WSS4J-Dev Mailing List'
> > Subject: RE: Server Side - Sender Encryption Question
> >
> > If the Request came in signed then the public key or
> certificate(included
> > in
> > the WSSecurity Header) used to sign the request can be used to
encrypt
> the
> > response also.
> >
> > Regards,
> > Abhijit
> >
> > -----Original Message-----
> > From: Richard Wareing [mailto:wareing@rewc.com]
> > Sent: Thu, September 29, 2005 11:41 AM
> > To: Apache WSS4J-Dev Mailing List
> > Subject: Server Side - Sender Encryption Question
> >
> > Is there a method of having the client request a particular
encryption
> > key be used to encrypt the response data?
> >
> > What I'm trying to do here is have each web service user submit to
us
> > their public encryption key and use that to encrypt the data back to
> > them (in conjunction with signing).  In other words, depending on
the
> > particular user that might be using the web service, we would use a
> > specific public key to encrypt data back to them.
> >
> > Is there a way to accomplish this?
> >
> > Richard Wareing
> > Reimer Technology Group
> >
> >
> > ---
> > [This E-mail scanned for viruses by Declude Virus]
> >
> >
> >
---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> >
> >
> >
> >
---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> >
> > ---
> > [This E-mail scanned for viruses by Declude Virus]
> 
> 
> ---
> [This E-mail scanned for viruses by Declude Virus]
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> 
> ---
> [This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

RE: Server Side - Sender Encryption Question

[Richard Wareing <wa...@rewc.com>]

I guess in CA speak, I'm asking whether or not an incoming embedded
client certificates can be checked against a CRL or Certificate
Revocation List, which would be updated periodically from a CA.

Richard...


> -----Original Message-----
> From: Richard Wareing [mailto:wareing@rewc.com]
> Sent: 2005 September 30 4:42 PM
> To: 'Abhijit Sharma'; 'Apache WSS4J-Dev Mailing List'
> Subject: RE: Server Side - Sender Encryption Question
> 
> Hi Abhijit,
> 
> So I got the signing and encryption working bi-directionally with the
> use of my own Certificate Authority (FYI a link on how to do this:
> http://www.devx.com/Java/Article/10185/1763/page/1).  Using the method
> suggested, I no longer need to store any certificates of the clients,
> since I can now check the embedded certificates to make sure they were
> signed by my CA.  And at the end of the day I now have a method of
> securely authorizing a web service client to access the web service.
> 
> My one remaining question is, say I know wish to revoke access to the
> web service.  Other than waiting for the web service client's signed
> key-pair to expire, how can I terminate this client's access to the
> service?  Would it be possible to check with the CA to see if the
user's
> signed certificate was revoked?
> 
> Richard Wareing
> Reimer Technology Group
> 
> 
> > -----Original Message-----
> > From: Abhijit Sharma [mailto:asharma@amberpoint.com]
> > Sent: 2005 September 29 11:53 PM
> > To: 'Richard Wareing'; 'Apache WSS4J-Dev Mailing List'
> > Subject: RE: Server Side - Sender Encryption Question
> >
> > If the Request came in signed then the public key or
> certificate(included
> > in
> > the WSSecurity Header) used to sign the request can be used to
encrypt
> the
> > response also.
> >
> > Regards,
> > Abhijit
> >
> > -----Original Message-----
> > From: Richard Wareing [mailto:wareing@rewc.com]
> > Sent: Thu, September 29, 2005 11:41 AM
> > To: Apache WSS4J-Dev Mailing List
> > Subject: Server Side - Sender Encryption Question
> >
> > Is there a method of having the client request a particular
encryption
> > key be used to encrypt the response data?
> >
> > What I'm trying to do here is have each web service user submit to
us
> > their public encryption key and use that to encrypt the data back to
> > them (in conjunction with signing).  In other words, depending on
the
> > particular user that might be using the web service, we would use a
> > specific public key to encrypt data back to them.
> >
> > Is there a way to accomplish this?
> >
> > Richard Wareing
> > Reimer Technology Group
> >
> >
> > ---
> > [This E-mail scanned for viruses by Declude Virus]
> >
> >
> >
---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> >
> >
> >
> >
---------------------------------------------------------------------
> > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> >
> > ---
> > [This E-mail scanned for viruses by Declude Virus]
> 
> 
> ---
> [This E-mail scanned for viruses by Declude Virus]
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> 
> ---
> [This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

RE: Server Side - Sender Encryption Question

[Richard Wareing <wa...@rewc.com>]

Hi Abhijit,

So I got the signing and encryption working bi-directionally with the
use of my own Certificate Authority (FYI a link on how to do this:
http://www.devx.com/Java/Article/10185/1763/page/1).  Using the method
suggested, I no longer need to store any certificates of the clients,
since I can now check the embedded certificates to make sure they were
signed by my CA.  And at the end of the day I now have a method of
securely authorizing a web service client to access the web service. 

My one remaining question is, say I know wish to revoke access to the
web service.  Other than waiting for the web service client's signed
key-pair to expire, how can I terminate this client's access to the
service?  Would it be possible to check with the CA to see if the user's
signed certificate was revoked?

Richard Wareing
Reimer Technology Group


> -----Original Message-----
> From: Abhijit Sharma [mailto:asharma@amberpoint.com]
> Sent: 2005 September 29 11:53 PM
> To: 'Richard Wareing'; 'Apache WSS4J-Dev Mailing List'
> Subject: RE: Server Side - Sender Encryption Question
> 
> If the Request came in signed then the public key or
certificate(included
> in
> the WSSecurity Header) used to sign the request can be used to encrypt
the
> response also.
> 
> Regards,
> Abhijit
> 
> -----Original Message-----
> From: Richard Wareing [mailto:wareing@rewc.com]
> Sent: Thu, September 29, 2005 11:41 AM
> To: Apache WSS4J-Dev Mailing List
> Subject: Server Side - Sender Encryption Question
> 
> Is there a method of having the client request a particular encryption
> key be used to encrypt the response data?
> 
> What I'm trying to do here is have each web service user submit to us
> their public encryption key and use that to encrypt the data back to
> them (in conjunction with signing).  In other words, depending on the
> particular user that might be using the web service, we would use a
> specific public key to encrypt data back to them.
> 
> Is there a way to accomplish this?
> 
> Richard Wareing
> Reimer Technology Group
> 
> 
> ---
> [This E-mail scanned for viruses by Declude Virus]
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> 
> ---
> [This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

RE: Server Side - Sender Encryption Question

[Richard Wareing <wa...@rewc.com>]

Hi Abhijit,

So I got the signing and encryption working bi-directionally with the
use of my own Certificate Authority (FYI a link on how to do this:
http://www.devx.com/Java/Article/10185/1763/page/1).  Using the method
suggested, I no longer need to store any certificates of the clients,
since I can now check the embedded certificates to make sure they were
signed by my CA.  And at the end of the day I now have a method of
securely authorizing a web service client to access the web service. 

My one remaining question is, say I know wish to revoke access to the
web service.  Other than waiting for the web service client's signed
key-pair to expire, how can I terminate this client's access to the
service?  Would it be possible to check with the CA to see if the user's
signed certificate was revoked?

Richard Wareing
Reimer Technology Group


> -----Original Message-----
> From: Abhijit Sharma [mailto:asharma@amberpoint.com]
> Sent: 2005 September 29 11:53 PM
> To: 'Richard Wareing'; 'Apache WSS4J-Dev Mailing List'
> Subject: RE: Server Side - Sender Encryption Question
> 
> If the Request came in signed then the public key or
certificate(included
> in
> the WSSecurity Header) used to sign the request can be used to encrypt
the
> response also.
> 
> Regards,
> Abhijit
> 
> -----Original Message-----
> From: Richard Wareing [mailto:wareing@rewc.com]
> Sent: Thu, September 29, 2005 11:41 AM
> To: Apache WSS4J-Dev Mailing List
> Subject: Server Side - Sender Encryption Question
> 
> Is there a method of having the client request a particular encryption
> key be used to encrypt the response data?
> 
> What I'm trying to do here is have each web service user submit to us
> their public encryption key and use that to encrypt the data back to
> them (in conjunction with signing).  In other words, depending on the
> particular user that might be using the web service, we would use a
> specific public key to encrypt data back to them.
> 
> Is there a way to accomplish this?
> 
> Richard Wareing
> Reimer Technology Group
> 
> 
> ---
> [This E-mail scanned for viruses by Declude Virus]
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> 
> ---
> [This E-mail scanned for viruses by Declude Virus]


---
[This E-mail scanned for viruses by Declude Virus]


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

RE: Server Side - Sender Encryption Question

[Abhijit Sharma <as...@amberpoint.com>]

If the Request came in signed then the public key or certificate(included in
the WSSecurity Header) used to sign the request can be used to encrypt the
response also.

Regards,
Abhijit

-----Original Message-----
From: Richard Wareing [mailto:wareing@rewc.com] 
Sent: Thu, September 29, 2005 11:41 AM
To: Apache WSS4J-Dev Mailing List
Subject: Server Side - Sender Encryption Question

Is there a method of having the client request a particular encryption
key be used to encrypt the response data?

What I'm trying to do here is have each web service user submit to us
their public encryption key and use that to encrypt the data back to
them (in conjunction with signing).  In other words, depending on the
particular user that might be using the web service, we would use a
specific public key to encrypt data back to them.

Is there a way to accomplish this?

Richard Wareing
Reimer Technology Group


---
[This E-mail scanned for viruses by Declude Virus]


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

RE: Server Side - Sender Encryption Question

[Abhijit Sharma <as...@amberpoint.com>]

If the Request came in signed then the public key or certificate(included in
the WSSecurity Header) used to sign the request can be used to encrypt the
response also.

Regards,
Abhijit

-----Original Message-----
From: Richard Wareing [mailto:wareing@rewc.com] 
Sent: Thu, September 29, 2005 11:41 AM
To: Apache WSS4J-Dev Mailing List
Subject: Server Side - Sender Encryption Question

Is there a method of having the client request a particular encryption
key be used to encrypt the response data?

What I'm trying to do here is have each web service user submit to us
their public encryption key and use that to encrypt the data back to
them (in conjunction with signing).  In other words, depending on the
particular user that might be using the web service, we would use a
specific public key to encrypt data back to them.

Is there a way to accomplish this?

Richard Wareing
Reimer Technology Group


---
[This E-mail scanned for viruses by Declude Virus]


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org