You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Ron Reynolds <Ro...@RonReynolds.com> on 2005/10/18 02:11:44 UTC
key size and algorithm choices...
(repost from axis-users@ per dims' suggestion)
i'm working on adding signatures to my ws requests and want to issue a unique key pair to each
approved client application. since i want the overhead of security to be insignificant compared
to the overhead of the requested method (i.e., i don't want the addition of security to be a
serious performance hit compared to the system without security) is there an accepted
algorithm/key-size pair that works well? this is (currently) an in-house app to a resource
management system so i'm not too worried about the ficticious "black-hat" with a Cray and
75 years to try to crack the message - in fact i could probably get by with a MD5 xor with the
client's id to do the trick, but i would like to leverage what basic security xml-sig gives
to give some assurance to my bosses that not just anybody can send messages to the service.
options/experiences folks have had with finding the equilibrium point between security and
performance with ws-security would be greatly appreciated. :)
oh, while on the topic of ws security - in this case the client application is acting on the
part of a user and my thought was to pass all 3 pieces of info (user's staff-id, client's
app-id, and client's message-sig value) as headers (i.e., not have to declare them as part
of the WS interface). has anyone done this with wss4j? if so could you send a sample of your
server- and client-config.wsdd files? i'm not sure if i need 2 WSDoAllSenders or 3 - ditto
with the WSDoAllReceivers. and i'm sure i'll have questions when i get to working out the
crypto.properties files but that's for a later email. :) also are there any good sites out
there other than the deployment tutorial and deployment examples on using wss4j?
thanks. :)
.............ron.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org