axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ali Sadik Kumlali <as_kuml...@yahoo.com>
Subject Re: [Axis2][Rampart] What are the differences between X509KeyIdentifier and SKIKeyIdentifier?
Date Wed, 03 Jan 2007 10:33:52 GMT
Excellent explanations as always! I love this dream :) Thank you Ruchith.

Regards,

Ali Sadik Kumlali

----- Original Message ----
From: Ruchith Fernando <ruchith.fernando@gmail.com>
To: axis-user@ws.apache.org
Sent: Wednesday, January 3, 2007 12:16:11 PM
Subject: Re: [Axis2][Rampart] What are the differences between X509KeyIdentifier and SKIKeyIdentifier?

Hi Paul,

On 1/3/07, Paul Fremantle <pzfreo@gmail.com> wrote:
> Ruchith
>
> From your description above, it seems like in the case of
> X509KeyIdentifier and DirectReference the actual cert is included in
> the message and in the case of SKIKeyIdentifier, IssuerSerial and
> ThumbPrint, the cert needs to be in the server's keystore or LDAP.
>
> I think I can see that SKIKeyIdentifier, IssuerSerial and ThumbPrint
> are just three different ways of looking up the certificate in the
> store. Am I right?

Yes

>
> However, I don't understand the difference between X509KeyIdentifier
> and DirectReference. Can you explain that please!?

X509KeyIdentifier :

This is the case where a SecurityTokenRefernce uses a
wsse:KeyIdentifier element to refer to a key.

DirectReference :

This is where a SecurityTokenRefernce uses a "wsse:Reference" element
to refer to a security token.

Please see Sections 7.2 and 7.3 of [1]

Thanks,
Ruchith

[1] https://svn.apache.org/repos/asf/webservices/wss4j/trunk/specs/wss-v1.1-spec-os-SOAPMessageSecurity.pdf


>
> Paul
>
> On 1/3/07, Ruchith Fernando <ruchith.fernando@gmail.com> wrote:
> > Hi,
> >
> > On 12/21/06, Ali Sadik Kumlali <as_kumlali@yahoo.com> wrote:
> > > Hi folks,
> > >
> > > I have many clients sending messages signed with their own certificates. So,
I stored their public certificates in a keystore. After;
> > >   - Looking x509-token-profile-1.0 spec[1]
> > >   - Reading the related mail[2]
> > >   - Reading the "Secure Message Exchanges with Multiple Users" article in WS20[3]
> > >
> > >
> > > still need to understand what the differences are between X509KeyIdentifier
and SKIKeyIdentifier?
> >
> > X509KeyIdentifier is used to refer to a cert. And in this case the
> > base64 encoded cert is included directly within the key identifier
> > element. This can be used when the endpoint that processes the message
> > trust a certain CA and the users are expected to use certs that are
> > signed by that trusted CA. Therefore signature with a trusted cert
> > will be accepted. Note that the endpoint will not have to store all
> > client certs in this case since they will be available in the message
> > itself.
> >
> > SKIKeyIdentifier specifies the use of the "Subject Key Identifier"
> > X.509 extension value as the mechanism to refer to the cert used to
> > sign. In this case it should be noted that the endpoint that processes
> > the message should have access to a store that holds the potential
> > certificates so that the matching cert can be fetched (based on the
> > SKI) to carryout signature verification.
> > >
> > > Both of them were accepted by the service without any change at the server
side. At client side, on the other hand, only change I made was setting <signatureKeyIdentifier>
in axis2.xml to either of X509KeyIdentifier or SKIKeyIdentifier. I examined the SOAP headers
for both and found a little difference[4].
> > >
> > > In this point some questions come to my mind:
> > > 1) Which one should I use at the client side?
> >
> > This will be specified by the policy of the service or how you manage
> > certs of trusted users at the service. See the explanation above.
> >
> > >
> > > 2) Can we say one is more compatible(or widely used) than the other?
> >
> > Am not sure which one is most used but I think its purely a decision
> > in configuring the service.
> >
> > >
> > > 3) Can we say one is more secure than the other?
> >
> > IMHO both mechanisms are the same, since both of them are different
> > ways of referring to public information (cert).
> >
> > >
> > > 4) Should I consider other signatureKeyIdentifier types (DirectReference, IssuerSerial,
Thumbprint)?
> >
> > DirectReference is another case where you add the base64 encoded cert
> > into the message. And IssuerSerial and Thumbprint both requires you to
> > make sure the endpoint that processes the message has access to the
> > certs in its store. Also note that thumbprint ref is introduced only
> > in WS-Sec-1.1
> >
> > > 5) Should I just get a sleep and read all the docs again? :)
> >
> > I guess you had your sleep :-) Sorry about the delay in my response.
> >
> > Thanks,
> > Ruchith
> >
> > >
> > > Regards,
> > >
> > > Ali Sadik Kumlali
> > >
> > >
> > > [1] http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0.pdf
> > > [2] http://mail-archives.apache.org/mod_mbox/ws-wss4j-dev/200607.mbox/%3c559c463d0607172159n3fb7e361k29498d0499fc2bf@mail.gmail.com%3e
> > > [3] http://www.wso2.net/tutorials/rampart/java/2006/09/06/sec-msg-exchg
> > > [4]
> > >
> > > X509KeyIdentifier:
> > > ------------------
> > >
> > > <wsse:KeyIdentifier
> > >   EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";;
> > >   ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";;>
> > >   MIIDCjCCAfKgAwIBAgIQYDju2/6sm77InYfTq65x+DANBgkqhkiG9w0BAQUFADAwMQ4wDAYDVQQKDAVPQVNJUzEeMBwGA1UEAwwVT0FTSVMgSW50ZXJvcCBUZXN0IENBMB4XDTA1MDMxOTAwMDAwMFoXDTE4MDMxOTIzNTk1OVowQDEOMAwGA1UECgwFT0FTSVMxIDAeBgNVBAsMF09BU0lTIEludGVyb3AgVGVzdCBDZXJ0MQwwCgYDVQQDDANCb2IwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMCquMva4lFDrv3fXQnKK8CkSU7HvVZ0USyJtlL/yhmHH/FQXHyYY+fTcSyWYItWJYiTZ99PAbD+6EKBGbdfuJNUJCGaTWc5ZDUISqM/SGtacYe/PD/4+g3swNPzTUQAIBLRY1pkr2cm3s5Ch/f+mYVNBR41HnBeIxybw25kkoM7AgMBAAGjgZMwgZAwCQYDVR0TBAIwADAzBgNVHR8ELDAqMCiiJoYkaHR0cDovL2ludGVyb3AuYmJ0ZXN0Lm5ldC9jcmwvY2EuY3JsMA4GA1UdDwEB/wQEAwIEsDAdBgNVHQ4EFgQUXeg55vRyK3ZhAEhEf+YT0z986L0wHwYDVR0jBBgwFoAUwJ0o/MHrNaEd1qqqoBwaTcJJDw8wDQYJKoZIhvcNAQEFBQADggEBAIiVGv2lGLhRvmMAHSlY7rKLVkv+zEUtSyg08FBT8z/RepUbtUQShcIqwWsemDU8JVtsucQLc+g6GCQXgkCkMiC8qhcLAt3BXzFmLxuCEAQeeFe8IATr4wACmEQE37TEqAuWEIanPYIplbxYgwP0OBWBSjcRpKRAxjEzuwObYjbll6vKdFHYIweWhhWPrefquFp7TefTkF4D3rcctTfWJ76I5NrEVld+7PBnnJNpdDEuGsoaiJrwTW3Ixm40RXvG3fYS4hIAPeTCUk3RkYfUkqlaaLQnUrF2hZSgiBNLPe8gGkYORccRIlZCGQDEpcWl1Uf9OHw6fC+3hkqolFd5CVI=
> > > </wsse:KeyIdentifier>
> > >
> > > SKIKeyIdentifier:
> > > -----------------
> > > <wsse:KeyIdentifier
> > >   EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";;
> > >   ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier";;>
> > >   Xeg55vRyK3ZhAEhEf+YT0z986L0=
> > > </wsse:KeyIdentifier>
> > >
> > >
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Tired of spam?  Yahoo! Mail has the best spam protection around
> > > http://mail.yahoo.com
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > > For additional commands, e-mail: axis-user-help@ws.apache.org
> > >
> > >
> >
> >
> > --
> > www.ruchith.org
> > www.wso2.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > For additional commands, e-mail: axis-user-help@ws.apache.org
> >
> >
>
>
> --
> Paul Fremantle
> VP/Technology, WSO2 and OASIS WS-RX TC Co-chair
>
> http://bloglines.com/blog/paulfremantle
> paul@wso2.com
>
> "Oxygenating the Web Service Platform", www.wso2.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>


-- 
www.ruchith.org
www.wso2.org

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org





__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org


Mime
View raw message