[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Question on wss-interop2-draft-06.pdf
All, I need a bit of clarification on scenario #4. Lines 175-178 in [1] state that the response is signed first and then encrypted, with the signing key provided 'externally'. I am interpreting this as out of band (e.g. there is no certificate or key directly embedded in the response message). Further reading of lines 331-334 in [1] implies that the actual certificate value is used (reference to CERT-VALUE): "The KeyInfo MUST contain a SecurityTokenReference. The SecurityTokenReference MUST contain a KeyIdentifier with a ValueType attribute with a value of X509v3. The KeyIdentifier MUST have the value of CERT-VALUE." Additionally, the example shows the ValueType for KeyIdentifier as "X509v3" (line 396 in [1]). Finally, if the intention here is an actual certificate reference (e.g. use of the subject public key identifier), shouldn't the <wsse:KeyIdentifier> element use wsse:X509SubjectKeyIdentifier as the ValueType according to [2]? (lines 200-202) "The wsse:KeyIdentifier element MUST have a ValueType attribute with the value wsse:X509SubjectKeyIdentifier and its contents MUST be the value of the certificate’s X.509 SubjectKeyIdentifier extension" It seems as if there is a contradiction between the interop2 draft 6 document and WSS-X509 draft 10 with regards to the allowable attribute value(s) for the <wsse:KeyIdentifier> element. The latter mandates te use of wsse:X509SubjectKeyIdentifier while the former shows an example using X509v3. Please let me know if I have misread this or if this issue has already been discussed. It seems important for the interop to work properly. [1] wss-interop2-draft-06.pdf [2] WSS-X509 draft 10.pdf Regards, Blake Dournaee Sarvega
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]