You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by "Guy Rixon (JIRA)" <ji...@apache.org> on 2005/08/10 10:38:39 UTC
[jira] Created: (WSS-15) Documentation for direct-reference mode of message signing
Documentation for direct-reference mode of message signing
----------------------------------------------------------
Key: WSS-15
URL: http://issues.apache.org/jira/browse/WSS-15
Project: WSS4J
Type: Improvement
Environment: WSS4J 1.0.0
Reporter: Guy Rixon
Assigned to: Davanum Srinivas
The WSS4J web-site lacks instructions on how to select the direct-reference mode of message signature (in which the sender's certificate is included in the message). In fact, there's no documentation on the signature modes at all. I append an xdoc outlining the issuer-serial (WSS4J default) and direct-reference modes and explaining how to select them.
<?xml version="1.0"?>
<document>
<properties>
<author email="gtr@ast.cam.ac.uk">Guy Rixon</author>
<title>Including the sender's certificate in the signed message</title>
</properties>
<body>
<section name="Including the sender's certificate in the signed message">
<p>
When messages are digitally signed, the recipient must have the sender's
certificate chain in order to check the signature. Typically, the chain has
two certificates: that of the sender and that of the sender's certificate
authority (CA).
</p>
<p>
There are two common ways of getting the certificates to the service.
</p>
<ol>
<li>
Install the CA's certificate in the service configuration. Send the caller's
individual certificate with the signed message. This is called "direct reference",
since the signature mark-up in the SOAP header refers directly to an included
credential.
</li>
<li>
Install both the CA certificate and the caller's individual certificate in the
service configuration. Send the CA's name and the serial number of the caller's
certificate in the SOAP message; have the service retrieve its copy of the certificate
using these metadata. This is called the "issuer-serial" method.
</li>
</ol>
<p>
The issuer-serial method presumes that all trusted users of the service are known to the
service and have pre-registered
their certificate chains before using the service. The direct-reference method presumes
that the service operator trusts all users with certificates issued by a trusted CA.
</p>
<p>
To use the direct-reference method when using WSDoAllSender to sign the messages, the client must
set a handler property as follows.
</p>
<pre>
stub._setProperty(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
</pre>
<p>
To use the issuer-serial method, the property should be set like this:
</p>
<pre>
stub._setProperty(WSHandlerConstants.SIG_KEY_ID, "IssuerSerial");
</pre>
<p>
If the property is not set, the default in WSS4J is to use the issuer-serial method.
</p>
</section>
</body>
</document>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Resolved: (WSS-15) Documentation for direct-reference mode of message signing
Posted by "Davanum Srinivas (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/WSS-15?page=all ]
Davanum Srinivas resolved WSS-15:
---------------------------------
Resolution: Fixed
Checked in.
thanks,
dims
> Documentation for direct-reference mode of message signing
> ----------------------------------------------------------
>
> Key: WSS-15
> URL: http://issues.apache.org/jira/browse/WSS-15
> Project: WSS4J
> Type: Improvement
> Environment: WSS4J 1.0.0
> Reporter: Guy Rixon
> Assignee: Davanum Srinivas
>
> The WSS4J web-site lacks instructions on how to select the direct-reference mode of message signature (in which the sender's certificate is included in the message). In fact, there's no documentation on the signature modes at all. I append an xdoc outlining the issuer-serial (WSS4J default) and direct-reference modes and explaining how to select them.
> <?xml version="1.0"?>
> <document>
> <properties>
> <author email="gtr@ast.cam.ac.uk">Guy Rixon</author>
> <title>Including the sender's certificate in the signed message</title>
> </properties>
>
> <body>
> <section name="Including the sender's certificate in the signed message">
> <p>
> When messages are digitally signed, the recipient must have the sender's
> certificate chain in order to check the signature. Typically, the chain has
> two certificates: that of the sender and that of the sender's certificate
> authority (CA).
> </p>
> <p>
> There are two common ways of getting the certificates to the service.
> </p>
> <ol>
> <li>
> Install the CA's certificate in the service configuration. Send the caller's
> individual certificate with the signed message. This is called "direct reference",
> since the signature mark-up in the SOAP header refers directly to an included
> credential.
> </li>
> <li>
> Install both the CA certificate and the caller's individual certificate in the
> service configuration. Send the CA's name and the serial number of the caller's
> certificate in the SOAP message; have the service retrieve its copy of the certificate
> using these metadata. This is called the "issuer-serial" method.
> </li>
> </ol>
> <p>
> The issuer-serial method presumes that all trusted users of the service are known to the
> service and have pre-registered
> their certificate chains before using the service. The direct-reference method presumes
> that the service operator trusts all users with certificates issued by a trusted CA.
> </p>
> <p>
> To use the direct-reference method when using WSDoAllSender to sign the messages, the client must
> set a handler property as follows.
> </p>
> <pre>
> stub._setProperty(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
> </pre>
> <p>
> To use the issuer-serial method, the property should be set like this:
> </p>
> <pre>
> stub._setProperty(WSHandlerConstants.SIG_KEY_ID, "IssuerSerial");
> </pre>
> <p>
> If the property is not set, the default in WSS4J is to use the issuer-serial method.
> </p>
> </section>
> </body>
>
> </document>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Resolved: (WSS-15) Documentation for direct-reference mode of message signing
Posted by "Davanum Srinivas (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/WSS-15?page=all ]
Davanum Srinivas resolved WSS-15:
---------------------------------
Resolution: Fixed
Checked in.
thanks,
dims
> Documentation for direct-reference mode of message signing
> ----------------------------------------------------------
>
> Key: WSS-15
> URL: http://issues.apache.org/jira/browse/WSS-15
> Project: WSS4J
> Type: Improvement
> Environment: WSS4J 1.0.0
> Reporter: Guy Rixon
> Assignee: Davanum Srinivas
>
> The WSS4J web-site lacks instructions on how to select the direct-reference mode of message signature (in which the sender's certificate is included in the message). In fact, there's no documentation on the signature modes at all. I append an xdoc outlining the issuer-serial (WSS4J default) and direct-reference modes and explaining how to select them.
> <?xml version="1.0"?>
> <document>
> <properties>
> <author email="gtr@ast.cam.ac.uk">Guy Rixon</author>
> <title>Including the sender's certificate in the signed message</title>
> </properties>
>
> <body>
> <section name="Including the sender's certificate in the signed message">
> <p>
> When messages are digitally signed, the recipient must have the sender's
> certificate chain in order to check the signature. Typically, the chain has
> two certificates: that of the sender and that of the sender's certificate
> authority (CA).
> </p>
> <p>
> There are two common ways of getting the certificates to the service.
> </p>
> <ol>
> <li>
> Install the CA's certificate in the service configuration. Send the caller's
> individual certificate with the signed message. This is called "direct reference",
> since the signature mark-up in the SOAP header refers directly to an included
> credential.
> </li>
> <li>
> Install both the CA certificate and the caller's individual certificate in the
> service configuration. Send the CA's name and the serial number of the caller's
> certificate in the SOAP message; have the service retrieve its copy of the certificate
> using these metadata. This is called the "issuer-serial" method.
> </li>
> </ol>
> <p>
> The issuer-serial method presumes that all trusted users of the service are known to the
> service and have pre-registered
> their certificate chains before using the service. The direct-reference method presumes
> that the service operator trusts all users with certificates issued by a trusted CA.
> </p>
> <p>
> To use the direct-reference method when using WSDoAllSender to sign the messages, the client must
> set a handler property as follows.
> </p>
> <pre>
> stub._setProperty(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
> </pre>
> <p>
> To use the issuer-serial method, the property should be set like this:
> </p>
> <pre>
> stub._setProperty(WSHandlerConstants.SIG_KEY_ID, "IssuerSerial");
> </pre>
> <p>
> If the property is not set, the default in WSS4J is to use the issuer-serial method.
> </p>
> </section>
> </body>
>
> </document>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org