You are viewing a plain text version of this content. The canonical link for it is here.

Posted to fx-dev@ws.apache.org by Sanga Viswanathan <sv...@adobe.com> on 2004/08/03 18:18:41 UTC

Is Timestamp element mandatory?

Hi,

I had a question related to timestamps. Is the Timestamp element mandatory
according the spec? I m passing UsernameToken or saml assertions in the
WS-Sec header. Do I always have to have the timestamp element to be WSI
compliant. The basic security profile is not very clear in stating this.
More importantly should the server reject the header if the timestamp
element is not found?

Thanks

Sanga

Re: Is Timestamp element mandatory?

Posted by Rami Jaamour <rj...@parasoft.com>.

I don't have a definitive answer on that either, but I've seen a few WSS 
implementations putting in and signing it by default. I would include it 
and sign it in my secure deployments to prevent from replay attacks.

Rami Jaamour
Software Engineer
SOAPtest Development
Parasoft Corporation

"We Make Software Work"

Sanga Viswanathan wrote:

> Hi,
>
> I had a question related to timestamps. Is the Timestamp element 
> mandatory according the spec? I m passing UsernameToken or saml 
> assertions in the WS-Sec header. Do I always have to have the 
> timestamp element to be WSI compliant. The basic security profile is 
> not very clear in stating this. More importantly should the server 
> reject the header if the timestamp element is not found?
>
> Thanks
>
> Sanga
>