[wsf-dev] signing questions

Cahill, Conor P conor.p.cahill at intel.com
Fri Feb 15 14:01:13 PST 2008 

> 1. Messages over TLS carrying a SAMLv2 token: - is this considered
> urn:liberty:security:2005-02:TLS:Bearer  or  urn:liberty:security:
> 2005-02:TLS:SAMLV2

The ...:SAMLV2 method requires a signature on the message.  The 
...:Bearer method does not.  So just sticking a SAML token on a 
message without signing the message is ...:Bearer.

> 2. It appears that the "authentication mechanisms" listed do not have
> any reference to signed or unsigned.  Is this true?  How is the
> requirement of signing communicated between server/client?

As outlined above.

> 3. When are signed messages generally used in WSF?   Can it begin
> with the first SASL request to the AS?

Signed messages can be used anywhere.  In many cases, the SASL messages
to the AS are unsigned, but that is just what people have done rather 
than a rule or expectation.

The EPR for the service provider (AS, DS, PS, etc.) will define the
security mechanism which will define whether or not signing is required.

> 4. Is meta-data exchange completely out of the ID-WSF band?

The DS is the primary means of metadata exchange for ID-WSF messages,
though it isn't required (so you can have some ID-WSF environments
where the service EPR is distributed via some other means -- such
as the DS EPR showing up in a SAML SSO assertion or when a client
has a built-in EPR for the AS).

The EPR is the primary Metadata container for ID-WSF invocations.

> 5. Are responses from the WSP signed as well?   In which case I need
> the public key from the WSP.

They can be.  There's a DS option that can be used in service metadata
to define when a WSP signs responses (and can be a factor in DS
queries).
This is covered in section 3.11 of the Disco spec.

> 6. My signature references the Body, and all of the header elements.
> Why not sign the SOAP envelope and call it a day?  Is this because
> portions may be passed on to another end point?

It's part of the WS-Security model because other headers can be 
added/removed as the message is sent through other parties.   Not 
all header elements are required to be signed (all Liberty headers
are required to be signed, but there can be other headers that 
aren't necessarily signed.  I believe that the WS-Security header itself
isn't signed as the signature itself is added to that element.

> 7. Does a signed message require an x.509 token?

No.   Signatures can be based upon any of the xmldsig supported models.
Of course basic public/private keys (which aren't x.590 tokens) can
be used, but you can also use shared secret signatures.

Conor

More information about the Wsf-dev mailing list