axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Benson Margulies" <bim2...@basistech.com>
Subject RE: Signed SOAP messages
Date Wed, 30 Jun 2004 12:15:22 GMT
Perhaps the OP isn't familiar enough with X.509 certificates? I'm
assuming that the APIs involved allow callers to see and validate the
other end's cert.


________________________________

	From: pagarwal@hss.hns.com [mailto:pagarwal@hss.hns.com] 
	Sent: Wednesday, June 30, 2004 2:30 AM
	To: axis-user@ws.apache.org
	Subject: RE: Signed SOAP messages
	
	

	Digital Signature is a tool for achieving authentication. And
SSL does a (Client/Server) authentication before the encryption process
(that improvises confidentiality). So why do we need to do
authentication again ( by signing the soap messages) ? At the
application layer , are we assuming that  the soap messages can be
mapped to users whose identity is independent of what the SSL reveals ? 
	
	- Parag 
	
	
------------------------------------------------------------------------
--------------------------------------------------------- 
	
	With SSL, you can be reasonably sure that no one can listen to
the conversation, but 
	if the messages are signed as well, you can be sure of the
identity of whom you are 
	speaking with.  SSL alone does not do this. 
	  
	Russ 
	
	
	***********************  HSS-Unclassified
***********************



Mime
View raw message