You are viewing a plain text version of this content. The canonical link for it is here.

Posted to rampart-dev@ws.apache.org by Massimiliano Masi <ma...@math.unifi.it> on 2008/12/01 15:50:43 UTC

WS-SecureConversation

Hello, 

I am trying to understand how WS-SecureConversation works. 

Is it a correct behaviour the following?

1) Client use an RST to the STS asking for the SCT and the secret
2) STS returns the SCT and the secret
3) STS sends an unsolicited RSTR to the service containing the SCT and
   the secret

now they have the same derived key, DKey.

Using that key, each message could be protected from Replay Attacks and
MITM, by signing the headers using the DKey.

But since WS are stateless, for each invocation the SCT is something
like an index for retrieving the key that must be stored somewhere else.

Now, I looked at the example on rampart. 

You are not using the STS, looks like the second scenario in WS-SecConv spec.

Where rampart is storing the SCT? 

Thanks, 


	Massimiliano