WS-S Signature - multiple public keys on server side

[Lukasz Lichota <Lu...@sabre.com>]

Let's say I have a client that need to sign a message. The client uses 
<entry key="signatureKeyIdentifier" value="IssuerSerial" />
so the public key is preinstalled on the server. 

How about the case when there is more than one client, each with different
key?
The server would have to have many public keys, 
do they need to put in one keystore? 
what about alias field from the properties? 
org.apache.ws.security.crypto.merlin.keystore.alias=client
what should be it's value in this case?

Is such a configuration possible at all? 
-- 
View this message in context: http://www.nabble.com/WS-S-Signature---multiple-public-keys-on-server-side-tp24497380p24497380.html
Sent from the cxf-user mailing list archive at Nabble.com.

RE: WS-S Signature - multiple public keys on server side

[Lukasz Lichota <Lu...@sabre.com>]

Thanks for the reply 

IssuerSerial needs to be used because I'm thinking about the case when the
client's certificate it's not signed by any CA (e.g. was obtained from the
service provider company)


Colm O hEigeartaigh wrote:
> 
> 
>> The server would have to have many public keys, do they need to put in
> one keystore? 
> 
> Yes, as you're using issuer serial to reference the public key required
> to verify the signature. A better solution is to use Direct Reference,
> so the X.509 cert is included in the request. In this case, the server
> has all of the information it needs to verify the request and so it
> doesn't need to know anything about the public key of the client. All it
> needs to have is the public key of the CA that issued the client cert
> installed in the keystore, so that it can verify trust on the
> transmitted client cert.
> 
>> what about alias field from the properties? 
> 
> That's not used for the server case, only for the client.
> 
> Colm.
> 
> 

-- 
View this message in context: http://www.nabble.com/WS-S-Signature---multiple-public-keys-on-server-side-tp24497380p24532584.html
Sent from the cxf-user mailing list archive at Nabble.com.

RE: WS-S Signature - multiple public keys on server side

[Colm O hEigeartaigh <co...@progress.com>]

> The server would have to have many public keys, do they need to put in
one keystore? 

Yes, as you're using issuer serial to reference the public key required
to verify the signature. A better solution is to use Direct Reference,
so the X.509 cert is included in the request. In this case, the server
has all of the information it needs to verify the request and so it
doesn't need to know anything about the public key of the client. All it
needs to have is the public key of the CA that issued the client cert
installed in the keystore, so that it can verify trust on the
transmitted client cert.

> what about alias field from the properties? 

That's not used for the server case, only for the client.

Colm.


-----Original Message-----
From: Lukasz Lichota [mailto:Lukasz.Lichota@sabre.com] 
Sent: 15 July 2009 13:56
To: users@cxf.apache.org
Subject: WS-S Signature - multiple public keys on server side


Let's say I have a client that need to sign a message. The client uses 
<entry key="signatureKeyIdentifier" value="IssuerSerial" />
so the public key is preinstalled on the server. 

How about the case when there is more than one client, each with
different
key?
The server would have to have many public keys, 
do they need to put in one keystore? 
what about alias field from the properties? 
org.apache.ws.security.crypto.merlin.keystore.alias=client
what should be it's value in this case?

Is such a configuration possible at all? 
-- 
View this message in context:
http://www.nabble.com/WS-S-Signature---multiple-public-keys-on-server-si
de-tp24497380p24497380.html
Sent from the cxf-user mailing list archive at Nabble.com.