axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ruchith Fernando" <>
Subject Re: [Axis2][Rampart] What are the differences between X509KeyIdentifier and SKIKeyIdentifier?
Date Wed, 03 Jan 2007 07:41:47 GMT

On 12/21/06, Ali Sadik Kumlali <> wrote:
> Hi folks,
> I have many clients sending messages signed with their own certificates. So, I stored
their public certificates in a keystore. After;
>   - Looking x509-token-profile-1.0 spec[1]
>   - Reading the related mail[2]
>   - Reading the "Secure Message Exchanges with Multiple Users" article in WS20[3]
> still need to understand what the differences are between X509KeyIdentifier and SKIKeyIdentifier?

X509KeyIdentifier is used to refer to a cert. And in this case the
base64 encoded cert is included directly within the key identifier
element. This can be used when the endpoint that processes the message
trust a certain CA and the users are expected to use certs that are
signed by that trusted CA. Therefore signature with a trusted cert
will be accepted. Note that the endpoint will not have to store all
client certs in this case since they will be available in the message

SKIKeyIdentifier specifies the use of the "Subject Key Identifier"
X.509 extension value as the mechanism to refer to the cert used to
sign. In this case it should be noted that the endpoint that processes
the message should have access to a store that holds the potential
certificates so that the matching cert can be fetched (based on the
SKI) to carryout signature verification.
> Both of them were accepted by the service without any change at the server side. At client
side, on the other hand, only change I made was setting <signatureKeyIdentifier> in
axis2.xml to either of X509KeyIdentifier or SKIKeyIdentifier. I examined the SOAP headers
for both and found a little difference[4].
> In this point some questions come to my mind:
> 1) Which one should I use at the client side?

This will be specified by the policy of the service or how you manage
certs of trusted users at the service. See the explanation above.

> 2) Can we say one is more compatible(or widely used) than the other?

Am not sure which one is most used but I think its purely a decision
in configuring the service.

> 3) Can we say one is more secure than the other?

IMHO both mechanisms are the same, since both of them are different
ways of referring to public information (cert).

> 4) Should I consider other signatureKeyIdentifier types (DirectReference, IssuerSerial,

DirectReference is another case where you add the base64 encoded cert
into the message. And IssuerSerial and Thumbprint both requires you to
make sure the endpoint that processes the message has access to the
certs in its store. Also note that thumbprint ref is introduced only
in WS-Sec-1.1

> 5) Should I just get a sleep and read all the docs again? :)

I guess you had your sleep :-) Sorry about the delay in my response.


> Regards,
> Ali Sadik Kumlali
> [1]
> [2]
> [3]
> [4]
> X509KeyIdentifier:
> ------------------
> <wsse:KeyIdentifier
>   EncodingType="";
>   ValueType="";>
> </wsse:KeyIdentifier>
> SKIKeyIdentifier:
> -----------------
> <wsse:KeyIdentifier
>   EncodingType="";
>   ValueType="";>
>   Xeg55vRyK3ZhAEhEf+YT0z986L0=
> </wsse:KeyIdentifier>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message