axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Benson Margulies" <>
Subject RE: Signed SOAP messages
Date Wed, 30 Jun 2004 12:15:22 GMT
Perhaps the OP isn't familiar enough with X.509 certificates? I'm
assuming that the APIs involved allow callers to see and validate the
other end's cert.


	From: [] 
	Sent: Wednesday, June 30, 2004 2:30 AM
	Subject: RE: Signed SOAP messages

	Digital Signature is a tool for achieving authentication. And
SSL does a (Client/Server) authentication before the encryption process
(that improvises confidentiality). So why do we need to do
authentication again ( by signing the soap messages) ? At the
application layer , are we assuming that  the soap messages can be
mapped to users whose identity is independent of what the SSL reveals ? 
	- Parag 
	With SSL, you can be reasonably sure that no one can listen to
the conversation, but 
	if the messages are signed as well, you can be sure of the
identity of whom you are 
	speaking with.  SSL alone does not do this. 
	***********************  HSS-Unclassified

View raw message