[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Question regarding Username Token Profile 1.0
Colleagues - WSS Username Token Profile 1.0 lines 108-109 states: If either or both of <wsse:Nonce> and <wsu:Created> are present they MUST be included in the digest value as follows:.." What if there is no digest value. In other words, does this spec allow inclusion of <wsse:Nonce> and <wsu:Created> using passwords of type passwordText. Below is an example of what I am thinking of and was wondering if this would be considered compliant or not: <wsse:Security > <wsse:UsernameToken > <wsse:Username>SomeUser</wsse:Username> <wsse:Password Type="...#PasswordText">SomePassword</wsse:Password> <wsse:Nonce>OGJjZjQwNjI5NzNmZjEzMjkwNDg5YzY4MWQzYTUwYWQ=</wsse:Nonce> <wsu:Created>2005-08-26T23:19:40Z</wsu:Created> </wsse:UsernameToken> </wsse:Security> ... I do realize that there are security implications and in this particular case there certain mitigating circumstances whose explanation is beyond the scope of this message. Thanks in advance, Jahan ------------------------------ Jahan Moreh Chief Security Architect 310.288.2141
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]