ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (Closed) (JIRA)" <>
Subject [jira] [Closed] (WSS-15) Documentation for direct-reference mode of message signing
Date Mon, 03 Oct 2011 09:04:34 GMT


Colm O hEigeartaigh closed WSS-15.

> Documentation for direct-reference mode of message signing
> ----------------------------------------------------------
>                 Key: WSS-15
>                 URL:
>             Project: WSS4J
>          Issue Type: Improvement
>         Environment: WSS4J 1.0.0
>            Reporter: Guy Rixon
>            Assignee: Davanum Srinivas
> The WSS4J web-site lacks instructions on how to select the direct-reference mode of message
signature (in which the sender's certificate is included in the message). In fact, there's
no documentation on the signature modes at all. I append an xdoc outlining the issuer-serial
(WSS4J default) and direct-reference modes and explaining how to select them.
> <?xml version="1.0"?>
> <document>
> 	<properties>
> 		<author email="">Guy Rixon</author>
> 		<title>Including the sender's certificate in the signed message</title>
> 	</properties>
> 	<body>
> 		<section name="Including the sender's certificate in the signed message">
> 			<p>
> 				When messages are digitally signed, the recipient must have the sender's 
> 				certificate chain in order to check the signature. Typically, the chain has
> 				two certificates: that of the sender and that of the sender's certificate
> 				authority (CA).
> 			</p>
> 			<p>
> 				There are two common ways of getting the certificates to the service.
> 			</p>
> 			<ol>
> 				<li>
> 					Install the CA's certificate in the service configuration. Send the caller's
> 					individual certificate with the signed message. This is called "direct reference",
> 					since the signature mark-up in the SOAP header refers directly to an included 
> 					credential.
> 				</li>
> 				<li>
> 					Install both the CA certificate and the caller's individual certificate in the
> 					service configuration. Send the CA's name and the serial number of the caller's
> 					certificate in the SOAP message; have the service retrieve its copy of the certificate
> 					using these metadata. This is called the "issuer-serial" method.
> 				</li>
> 			</ol>
> 			<p>
> 				The issuer-serial method presumes that all trusted users of the service are known
to the 
> 				service and have pre-registered
> 				their certificate chains before using the service. The direct-reference method presumes
> 				that the service operator trusts all users with certificates issued by a trusted
> 			</p>
> 			<p>
> 				To use the direct-reference method when using WSDoAllSender to sign the messages,
the client must 
> 				set a handler property as follows.
> 			</p>
> 			<pre>
> 				stub._setProperty(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
> 			</pre>
> 			<p>
> 				To use the issuer-serial method, the property should be set like this:
> 			</p>
> 			<pre>
> 				stub._setProperty(WSHandlerConstants.SIG_KEY_ID, "IssuerSerial");
> 			</pre>
> 			<p>
> 				If the property is not set, the default in WSS4J is to use the issuer-serial method.
> 			</p>
> 		</section>
> 	</body>
> </document>

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message