cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From COURTAULT Francois <>
Subject Spec questions
Date Thu, 05 Dec 2013 13:31:42 GMT
Hello everyone,

I try to understand what policy requires that a Certificate reference has to be included in
the SignedInfo section.
Is it due to  <sp:ProtectTokens/> policy assertion ?  If I read the spec at §6.5, it
was stated that:
"This boolean property specifies whether signatures must cover the token used to generate
that signature. If the value is 'true', then each token used to generate a signature MUST
be covered by that signature."

My interpretation of this sentence is that the token used for the signature has to be included
in the signature so that the SignedInfo section has to contain the token reference: is my
interpretation correct ?
It also means that if we use Asymmetric binding, it is mandatory to have in the SignedInfo
section something like:
<ds:Reference URI="X509-<thumbprint>>: right ?

I have also another questions. In the spec at §3.2 Token References, it is stated that the:
" <wsse:SecurityTokenReference> element MAY reference an X.509 token type by one of
the following means:

·         Reference to a Subject Key Identifier

·         Reference to a Binary Security Token

·         Reference to an Issuer and Serial Number"
Could you confirm me that the 3 means are possible and equivalent ? Or depending on a security
policy assertion, we have to use only one of these methods ?

Best Regards.

This message and any attachments are intended solely for the addressees and may contain confidential
information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if
altered, changed or falsified. If you are not the intended recipient of this message, please
delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses,
the sender will not be liable for damages caused by a transmitted virus

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message