You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Ali Sadik Kumlali <as...@yahoo.com> on 2006/12/21 14:23:15 UTC
[Axis2][Rampart] What are the differences between X509KeyIdentifier and SKIKeyIdentifier?
Hi folks,
I have many clients sending messages signed with their own certificates. So, I stored their public certificates in a keystore. After;
- Looking x509-token-profile-1.0 spec[1]
- Reading the related mail[2]
- Reading the "Secure Message Exchanges with Multiple Users" article in WS20[3]
still need to understand what the differences are between X509KeyIdentifier and SKIKeyIdentifier?
Both of them were accepted by the service without any change at the server side. At client side, on the other hand, only change I made was setting <signatureKeyIdentifier> in axis2.xml to either of X509KeyIdentifier or SKIKeyIdentifier. I examined the SOAP headers for both and found a little difference[4].
In this point some questions come to my mind:
1) Which one should I use at the client side?
2) Can we say one is more compatible(or widely used) than the other?
3) Can we say one is more secure than the other?
4) Should I consider other signatureKeyIdentifier types (DirectReference, IssuerSerial, Thumbprint)?
5) Should I just get a sleep and read all the docs again? :)
Regards,
Ali Sadik Kumlali
[1] http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0.pdf
[2] http://mail-archives.apache.org/mod_mbox/ws-wss4j-dev/200607.mbox/%3c559c463d0607172159n3fb7e361k29498d0499fc2bf@mail.gmail.com%3e
[3] http://www.wso2.net/tutorials/rampart/java/2006/09/06/sec-msg-exchg
[4]
X509KeyIdentifier:
------------------
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";>
MIIDCjCCAfKgAwIBAgIQYDju2/6sm77InYfTq65x+DANBgkqhkiG9w0BAQUFADAwMQ4wDAYDVQQKDAVPQVNJUzEeMBwGA1UEAwwVT0FTSVMgSW50ZXJvcCBUZXN0IENBMB4XDTA1MDMxOTAwMDAwMFoXDTE4MDMxOTIzNTk1OVowQDEOMAwGA1UECgwFT0FTSVMxIDAeBgNVBAsMF09BU0lTIEludGVyb3AgVGVzdCBDZXJ0MQwwCgYDVQQDDANCb2IwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMCquMva4lFDrv3fXQnKK8CkSU7HvVZ0USyJtlL/yhmHH/FQXHyYY+fTcSyWYItWJYiTZ99PAbD+6EKBGbdfuJNUJCGaTWc5ZDUISqM/SGtacYe/PD/4+g3swNPzTUQAIBLRY1pkr2cm3s5Ch/f+mYVNBR41HnBeIxybw25kkoM7AgMBAAGjgZMwgZAwCQYDVR0TBAIwADAzBgNVHR8ELDAqMCiiJoYkaHR0cDovL2ludGVyb3AuYmJ0ZXN0Lm5ldC9jcmwvY2EuY3JsMA4GA1UdDwEB/wQEAwIEsDAdBgNVHQ4EFgQUXeg55vRyK3ZhAEhEf+YT0z986L0wHwYDVR0jBBgwFoAUwJ0o/MHrNaEd1qqqoBwaTcJJDw8wDQYJKoZIhvcNAQEFBQADggEBAIiVGv2lGLhRvmMAHSlY7rKLVkv+zEUtSyg08FBT8z/RepUbtUQShcIqwWsemDU8JVtsucQLc+g6GCQXgkCkMiC8qhcLAt3BXzFmLxuCEAQeeFe8IATr4wACmEQE37TEqAuWEIanPYIplbxYgwP0OBWBSjcRpKRAxjEzuwObYjbll6vKdFHYIweWhhWPrefquFp7TefTkF4D3rcctTfWJ76I5NrEVld+7PBnnJNpdDEuGsoaiJrwTW3Ixm40RXvG3fYS4hIAPeTCUk3RkYfUkqlaaLQnUrF2hZSgiBNLPe8gGkYORccRIlZCGQDEpcWl1Uf9OHw6fC+3hkqolFd5CVI=
</wsse:KeyIdentifier>
SKIKeyIdentifier:
-----------------
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier";>
Xeg55vRyK3ZhAEhEf+YT0z986L0=
</wsse:KeyIdentifier>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: [Axis2][Rampart] What are the differences between X509KeyIdentifier and SKIKeyIdentifier?
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi Paul,
On 1/3/07, Paul Fremantle <pz...@gmail.com> wrote:
> Ruchith
>
> From your description above, it seems like in the case of
> X509KeyIdentifier and DirectReference the actual cert is included in
> the message and in the case of SKIKeyIdentifier, IssuerSerial and
> ThumbPrint, the cert needs to be in the server's keystore or LDAP.
>
> I think I can see that SKIKeyIdentifier, IssuerSerial and ThumbPrint
> are just three different ways of looking up the certificate in the
> store. Am I right?
Yes
>
> However, I don't understand the difference between X509KeyIdentifier
> and DirectReference. Can you explain that please!?
X509KeyIdentifier :
This is the case where a SecurityTokenRefernce uses a
wsse:KeyIdentifier element to refer to a key.
DirectReference :
This is where a SecurityTokenRefernce uses a "wsse:Reference" element
to refer to a security token.
Please see Sections 7.2 and 7.3 of [1]
Thanks,
Ruchith
[1] https://svn.apache.org/repos/asf/webservices/wss4j/trunk/specs/wss-v1.1-spec-os-SOAPMessageSecurity.pdf
>
> Paul
>
> On 1/3/07, Ruchith Fernando <ru...@gmail.com> wrote:
> > Hi,
> >
> > On 12/21/06, Ali Sadik Kumlali <as...@yahoo.com> wrote:
> > > Hi folks,
> > >
> > > I have many clients sending messages signed with their own certificates. So, I stored their public certificates in a keystore. After;
> > > - Looking x509-token-profile-1.0 spec[1]
> > > - Reading the related mail[2]
> > > - Reading the "Secure Message Exchanges with Multiple Users" article in WS20[3]
> > >
> > >
> > > still need to understand what the differences are between X509KeyIdentifier and SKIKeyIdentifier?
> >
> > X509KeyIdentifier is used to refer to a cert. And in this case the
> > base64 encoded cert is included directly within the key identifier
> > element. This can be used when the endpoint that processes the message
> > trust a certain CA and the users are expected to use certs that are
> > signed by that trusted CA. Therefore signature with a trusted cert
> > will be accepted. Note that the endpoint will not have to store all
> > client certs in this case since they will be available in the message
> > itself.
> >
> > SKIKeyIdentifier specifies the use of the "Subject Key Identifier"
> > X.509 extension value as the mechanism to refer to the cert used to
> > sign. In this case it should be noted that the endpoint that processes
> > the message should have access to a store that holds the potential
> > certificates so that the matching cert can be fetched (based on the
> > SKI) to carryout signature verification.
> > >
> > > Both of them were accepted by the service without any change at the server side. At client side, on the other hand, only change I made was setting <signatureKeyIdentifier> in axis2.xml to either of X509KeyIdentifier or SKIKeyIdentifier. I examined the SOAP headers for both and found a little difference[4].
> > >
> > > In this point some questions come to my mind:
> > > 1) Which one should I use at the client side?
> >
> > This will be specified by the policy of the service or how you manage
> > certs of trusted users at the service. See the explanation above.
> >
> > >
> > > 2) Can we say one is more compatible(or widely used) than the other?
> >
> > Am not sure which one is most used but I think its purely a decision
> > in configuring the service.
> >
> > >
> > > 3) Can we say one is more secure than the other?
> >
> > IMHO both mechanisms are the same, since both of them are different
> > ways of referring to public information (cert).
> >
> > >
> > > 4) Should I consider other signatureKeyIdentifier types (DirectReference, IssuerSerial, Thumbprint)?
> >
> > DirectReference is another case where you add the base64 encoded cert
> > into the message. And IssuerSerial and Thumbprint both requires you to
> > make sure the endpoint that processes the message has access to the
> > certs in its store. Also note that thumbprint ref is introduced only
> > in WS-Sec-1.1
> >
> > > 5) Should I just get a sleep and read all the docs again? :)
> >
> > I guess you had your sleep :-) Sorry about the delay in my response.
> >
> > Thanks,
> > Ruchith
> >
> > >
> > > Regards,
> > >
> > > Ali Sadik Kumlali
> > >
> > >
> > > [1] http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0.pdf
> > > [2] http://mail-archives.apache.org/mod_mbox/ws-wss4j-dev/200607.mbox/%3c559c463d0607172159n3fb7e361k29498d0499fc2bf@mail.gmail.com%3e
> > > [3] http://www.wso2.net/tutorials/rampart/java/2006/09/06/sec-msg-exchg
> > > [4]
> > >
> > > X509KeyIdentifier:
> > > ------------------
> > >
> > > <wsse:KeyIdentifier
> > > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
> > > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";>
> > > MIIDCjCCAfKgAwIBAgIQYDju2/6sm77InYfTq65x+DANBgkqhkiG9w0BAQUFADAwMQ4wDAYDVQQKDAVPQVNJUzEeMBwGA1UEAwwVT0FTSVMgSW50ZXJvcCBUZXN0IENBMB4XDTA1MDMxOTAwMDAwMFoXDTE4MDMxOTIzNTk1OVowQDEOMAwGA1UECgwFT0FTSVMxIDAeBgNVBAsMF09BU0lTIEludGVyb3AgVGVzdCBDZXJ0MQwwCgYDVQQDDANCb2IwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMCquMva4lFDrv3fXQnKK8CkSU7HvVZ0USyJtlL/yhmHH/FQXHyYY+fTcSyWYItWJYiTZ99PAbD+6EKBGbdfuJNUJCGaTWc5ZDUISqM/SGtacYe/PD/4+g3swNPzTUQAIBLRY1pkr2cm3s5Ch/f+mYVNBR41HnBeIxybw25kkoM7AgMBAAGjgZMwgZAwCQYDVR0TBAIwADAzBgNVHR8ELDAqMCiiJoYkaHR0cDovL2ludGVyb3AuYmJ0ZXN0Lm5ldC9jcmwvY2EuY3JsMA4GA1UdDwEB/wQEAwIEsDAdBgNVHQ4EFgQUXeg55vRyK3ZhAEhEf+YT0z986L0wHwYDVR0jBBgwFoAUwJ0o/MHrNaEd1qqqoBwaTcJJDw8wDQYJKoZIhvcNAQEFBQADggEBAIiVGv2lGLhRvmMAHSlY7rKLVkv+zEUtSyg08FBT8z/RepUbtUQShcIqwWsemDU8JVtsucQLc+g6GCQXgkCkMiC8qhcLAt3BXzFmLxuCEAQeeFe8IATr4wACmEQE37TEqAuWEIanPYIplbxYgwP0OBWBSjcRpKRAxjEzuwObYjbll6vKdFHYIweWhhWPrefquFp7TefTkF4D3rcctTfWJ76I5NrEVld+7PBnnJNpdDEuGsoaiJrwTW3Ixm40RXvG3fYS4hIAPeTCUk3RkYfUkqlaaLQnUrF2hZSgiBNLPe8gGkYORccRIlZCGQDEpcWl1Uf9OHw6fC+3hkqolFd5CVI=
> > > </wsse:KeyIdentifier>
> > >
> > > SKIKeyIdentifier:
> > > -----------------
> > > <wsse:KeyIdentifier
> > > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
> > > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier";>
> > > Xeg55vRyK3ZhAEhEf+YT0z986L0=
> > > </wsse:KeyIdentifier>
> > >
> > >
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Tired of spam? Yahoo! Mail has the best spam protection around
> > > http://mail.yahoo.com
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > > For additional commands, e-mail: axis-user-help@ws.apache.org
> > >
> > >
> >
> >
> > --
> > www.ruchith.org
> > www.wso2.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > For additional commands, e-mail: axis-user-help@ws.apache.org
> >
> >
>
>
> --
> Paul Fremantle
> VP/Technology, WSO2 and OASIS WS-RX TC Co-chair
>
> http://bloglines.com/blog/paulfremantle
> paul@wso2.com
>
> "Oxygenating the Web Service Platform", www.wso2.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
--
www.ruchith.org
www.wso2.org
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: [Axis2][Rampart] What are the differences between X509KeyIdentifier and SKIKeyIdentifier?
Posted by Paul Fremantle <pz...@gmail.com>.
Ruchith
>From your description above, it seems like in the case of
X509KeyIdentifier and DirectReference the actual cert is included in
the message and in the case of SKIKeyIdentifier, IssuerSerial and
ThumbPrint, the cert needs to be in the server's keystore or LDAP.
I think I can see that SKIKeyIdentifier, IssuerSerial and ThumbPrint
are just three different ways of looking up the certificate in the
store. Am I right?
However, I don't understand the difference between X509KeyIdentifier
and DirectReference. Can you explain that please!?
Paul
On 1/3/07, Ruchith Fernando <ru...@gmail.com> wrote:
> Hi,
>
> On 12/21/06, Ali Sadik Kumlali <as...@yahoo.com> wrote:
> > Hi folks,
> >
> > I have many clients sending messages signed with their own certificates. So, I stored their public certificates in a keystore. After;
> > - Looking x509-token-profile-1.0 spec[1]
> > - Reading the related mail[2]
> > - Reading the "Secure Message Exchanges with Multiple Users" article in WS20[3]
> >
> >
> > still need to understand what the differences are between X509KeyIdentifier and SKIKeyIdentifier?
>
> X509KeyIdentifier is used to refer to a cert. And in this case the
> base64 encoded cert is included directly within the key identifier
> element. This can be used when the endpoint that processes the message
> trust a certain CA and the users are expected to use certs that are
> signed by that trusted CA. Therefore signature with a trusted cert
> will be accepted. Note that the endpoint will not have to store all
> client certs in this case since they will be available in the message
> itself.
>
> SKIKeyIdentifier specifies the use of the "Subject Key Identifier"
> X.509 extension value as the mechanism to refer to the cert used to
> sign. In this case it should be noted that the endpoint that processes
> the message should have access to a store that holds the potential
> certificates so that the matching cert can be fetched (based on the
> SKI) to carryout signature verification.
> >
> > Both of them were accepted by the service without any change at the server side. At client side, on the other hand, only change I made was setting <signatureKeyIdentifier> in axis2.xml to either of X509KeyIdentifier or SKIKeyIdentifier. I examined the SOAP headers for both and found a little difference[4].
> >
> > In this point some questions come to my mind:
> > 1) Which one should I use at the client side?
>
> This will be specified by the policy of the service or how you manage
> certs of trusted users at the service. See the explanation above.
>
> >
> > 2) Can we say one is more compatible(or widely used) than the other?
>
> Am not sure which one is most used but I think its purely a decision
> in configuring the service.
>
> >
> > 3) Can we say one is more secure than the other?
>
> IMHO both mechanisms are the same, since both of them are different
> ways of referring to public information (cert).
>
> >
> > 4) Should I consider other signatureKeyIdentifier types (DirectReference, IssuerSerial, Thumbprint)?
>
> DirectReference is another case where you add the base64 encoded cert
> into the message. And IssuerSerial and Thumbprint both requires you to
> make sure the endpoint that processes the message has access to the
> certs in its store. Also note that thumbprint ref is introduced only
> in WS-Sec-1.1
>
> > 5) Should I just get a sleep and read all the docs again? :)
>
> I guess you had your sleep :-) Sorry about the delay in my response.
>
> Thanks,
> Ruchith
>
> >
> > Regards,
> >
> > Ali Sadik Kumlali
> >
> >
> > [1] http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0.pdf
> > [2] http://mail-archives.apache.org/mod_mbox/ws-wss4j-dev/200607.mbox/%3c559c463d0607172159n3fb7e361k29498d0499fc2bf@mail.gmail.com%3e
> > [3] http://www.wso2.net/tutorials/rampart/java/2006/09/06/sec-msg-exchg
> > [4]
> >
> > X509KeyIdentifier:
> > ------------------
> >
> > <wsse:KeyIdentifier
> > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
> > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";>
> > MIIDCjCCAfKgAwIBAgIQYDju2/6sm77InYfTq65x+DANBgkqhkiG9w0BAQUFADAwMQ4wDAYDVQQKDAVPQVNJUzEeMBwGA1UEAwwVT0FTSVMgSW50ZXJvcCBUZXN0IENBMB4XDTA1MDMxOTAwMDAwMFoXDTE4MDMxOTIzNTk1OVowQDEOMAwGA1UECgwFT0FTSVMxIDAeBgNVBAsMF09BU0lTIEludGVyb3AgVGVzdCBDZXJ0MQwwCgYDVQQDDANCb2IwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMCquMva4lFDrv3fXQnKK8CkSU7HvVZ0USyJtlL/yhmHH/FQXHyYY+fTcSyWYItWJYiTZ99PAbD+6EKBGbdfuJNUJCGaTWc5ZDUISqM/SGtacYe/PD/4+g3swNPzTUQAIBLRY1pkr2cm3s5Ch/f+mYVNBR41HnBeIxybw25kkoM7AgMBAAGjgZMwgZAwCQYDVR0TBAIwADAzBgNVHR8ELDAqMCiiJoYkaHR0cDovL2ludGVyb3AuYmJ0ZXN0Lm5ldC9jcmwvY2EuY3JsMA4GA1UdDwEB/wQEAwIEsDAdBgNVHQ4EFgQUXeg55vRyK3ZhAEhEf+YT0z986L0wHwYDVR0jBBgwFoAUwJ0o/MHrNaEd1qqqoBwaTcJJDw8wDQYJKoZIhvcNAQEFBQADggEBAIiVGv2lGLhRvmMAHSlY7rKLVkv+zEUtSyg08FBT8z/RepUbtUQShcIqwWsemDU8JVtsucQLc+g6GCQXgkCkMiC8qhcLAt3BXzFmLxuCEAQeeFe8IATr4wACmEQE37TEqAuWEIanPYIplbxYgwP0OBWBSjcRpKRAxjEzuwObYjbll6vKdFHYIweWhhWPrefquFp7TefTkF4D3rcctTfWJ76I5NrEVld+7PBnnJNpdDEuGsoaiJrwTW3Ixm40RXvG3fYS4hIAPeTCUk3RkYfUkqlaaLQnUrF2hZSgiBNLPe8gGkYORccRIlZCGQDEpcWl1Uf9OHw6fC+3hkqolFd5CVI=
> > </wsse:KeyIdentifier>
> >
> > SKIKeyIdentifier:
> > -----------------
> > <wsse:KeyIdentifier
> > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
> > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier";>
> > Xeg55vRyK3ZhAEhEf+YT0z986L0=
> > </wsse:KeyIdentifier>
> >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > For additional commands, e-mail: axis-user-help@ws.apache.org
> >
> >
>
>
> --
> www.ruchith.org
> www.wso2.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
--
Paul Fremantle
VP/Technology, WSO2 and OASIS WS-RX TC Co-chair
http://bloglines.com/blog/paulfremantle
paul@wso2.com
"Oxygenating the Web Service Platform", www.wso2.com
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: [Axis2][Rampart] What are the differences between X509KeyIdentifier and SKIKeyIdentifier?
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi,
On 12/21/06, Ali Sadik Kumlali <as...@yahoo.com> wrote:
> Hi folks,
>
> I have many clients sending messages signed with their own certificates. So, I stored their public certificates in a keystore. After;
> - Looking x509-token-profile-1.0 spec[1]
> - Reading the related mail[2]
> - Reading the "Secure Message Exchanges with Multiple Users" article in WS20[3]
>
>
> still need to understand what the differences are between X509KeyIdentifier and SKIKeyIdentifier?
X509KeyIdentifier is used to refer to a cert. And in this case the
base64 encoded cert is included directly within the key identifier
element. This can be used when the endpoint that processes the message
trust a certain CA and the users are expected to use certs that are
signed by that trusted CA. Therefore signature with a trusted cert
will be accepted. Note that the endpoint will not have to store all
client certs in this case since they will be available in the message
itself.
SKIKeyIdentifier specifies the use of the "Subject Key Identifier"
X.509 extension value as the mechanism to refer to the cert used to
sign. In this case it should be noted that the endpoint that processes
the message should have access to a store that holds the potential
certificates so that the matching cert can be fetched (based on the
SKI) to carryout signature verification.
>
> Both of them were accepted by the service without any change at the server side. At client side, on the other hand, only change I made was setting <signatureKeyIdentifier> in axis2.xml to either of X509KeyIdentifier or SKIKeyIdentifier. I examined the SOAP headers for both and found a little difference[4].
>
> In this point some questions come to my mind:
> 1) Which one should I use at the client side?
This will be specified by the policy of the service or how you manage
certs of trusted users at the service. See the explanation above.
>
> 2) Can we say one is more compatible(or widely used) than the other?
Am not sure which one is most used but I think its purely a decision
in configuring the service.
>
> 3) Can we say one is more secure than the other?
IMHO both mechanisms are the same, since both of them are different
ways of referring to public information (cert).
>
> 4) Should I consider other signatureKeyIdentifier types (DirectReference, IssuerSerial, Thumbprint)?
DirectReference is another case where you add the base64 encoded cert
into the message. And IssuerSerial and Thumbprint both requires you to
make sure the endpoint that processes the message has access to the
certs in its store. Also note that thumbprint ref is introduced only
in WS-Sec-1.1
> 5) Should I just get a sleep and read all the docs again? :)
I guess you had your sleep :-) Sorry about the delay in my response.
Thanks,
Ruchith
>
> Regards,
>
> Ali Sadik Kumlali
>
>
> [1] http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0.pdf
> [2] http://mail-archives.apache.org/mod_mbox/ws-wss4j-dev/200607.mbox/%3c559c463d0607172159n3fb7e361k29498d0499fc2bf@mail.gmail.com%3e
> [3] http://www.wso2.net/tutorials/rampart/java/2006/09/06/sec-msg-exchg
> [4]
>
> X509KeyIdentifier:
> ------------------
>
> <wsse:KeyIdentifier
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";>
> MIIDCjCCAfKgAwIBAgIQYDju2/6sm77InYfTq65x+DANBgkqhkiG9w0BAQUFADAwMQ4wDAYDVQQKDAVPQVNJUzEeMBwGA1UEAwwVT0FTSVMgSW50ZXJvcCBUZXN0IENBMB4XDTA1MDMxOTAwMDAwMFoXDTE4MDMxOTIzNTk1OVowQDEOMAwGA1UECgwFT0FTSVMxIDAeBgNVBAsMF09BU0lTIEludGVyb3AgVGVzdCBDZXJ0MQwwCgYDVQQDDANCb2IwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMCquMva4lFDrv3fXQnKK8CkSU7HvVZ0USyJtlL/yhmHH/FQXHyYY+fTcSyWYItWJYiTZ99PAbD+6EKBGbdfuJNUJCGaTWc5ZDUISqM/SGtacYe/PD/4+g3swNPzTUQAIBLRY1pkr2cm3s5Ch/f+mYVNBR41HnBeIxybw25kkoM7AgMBAAGjgZMwgZAwCQYDVR0TBAIwADAzBgNVHR8ELDAqMCiiJoYkaHR0cDovL2ludGVyb3AuYmJ0ZXN0Lm5ldC9jcmwvY2EuY3JsMA4GA1UdDwEB/wQEAwIEsDAdBgNVHQ4EFgQUXeg55vRyK3ZhAEhEf+YT0z986L0wHwYDVR0jBBgwFoAUwJ0o/MHrNaEd1qqqoBwaTcJJDw8wDQYJKoZIhvcNAQEFBQADggEBAIiVGv2lGLhRvmMAHSlY7rKLVkv+zEUtSyg08FBT8z/RepUbtUQShcIqwWsemDU8JVtsucQLc+g6GCQXgkCkMiC8qhcLAt3BXzFmLxuCEAQeeFe8IATr4wACmEQE37TEqAuWEIanPYIplbxYgwP0OBWBSjcRpKRAxjEzuwObYjbll6vKdFHYIweWhhWPrefquFp7TefTkF4D3rcctTfWJ76I5NrEVld+7PBnnJNpdDEuGsoaiJrwTW3Ixm40RXvG3fYS4hIAPeTCUk3RkYfUkqlaaLQnUrF2hZSgiBNLPe8gGkYORccRIlZCGQDEpcWl1Uf9OHw6fC+3hkqolFd5CVI=
> </wsse:KeyIdentifier>
>
> SKIKeyIdentifier:
> -----------------
> <wsse:KeyIdentifier
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier";>
> Xeg55vRyK3ZhAEhEf+YT0z986L0=
> </wsse:KeyIdentifier>
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
--
www.ruchith.org
www.wso2.org
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org