[wsf-dev] signing questions

Asa Hardcastle asa.openliberty at zenn.net
Fri Feb 15 14:09:03 PST 2008 

Conor: You rock!

Thanks for the answers, clarifies a lot.

asa


--
Asa Hardcastle, Technical Lead, openLiberty ID-WSF ClientLib
Tel: +1.413.429.1044 Skype: subsystem7

On Feb 15, 2008, at 5:01 PM, Cahill, Conor P wrote:

>
>> 1. Messages over TLS carrying a SAMLv2 token: - is this considered
>> urn:liberty:security:2005-02:TLS:Bearer  or  urn:liberty:security:
>> 2005-02:TLS:SAMLV2
>
> The ...:SAMLV2 method requires a signature on the message.  The
> ...:Bearer method does not.  So just sticking a SAML token on a
> message without signing the message is ...:Bearer.
>
>> 2. It appears that the "authentication mechanisms" listed do not have
>> any reference to signed or unsigned.  Is this true?  How is the
>> requirement of signing communicated between server/client?
>
> As outlined above.
>
>> 3. When are signed messages generally used in WSF?   Can it begin
>> with the first SASL request to the AS?
>
> Signed messages can be used anywhere.  In many cases, the SASL  
> messages
> to the AS are unsigned, but that is just what people have done rather
> than a rule or expectation.
>
> The EPR for the service provider (AS, DS, PS, etc.) will define the
> security mechanism which will define whether or not signing is  
> required.
>
>> 4. Is meta-data exchange completely out of the ID-WSF band?
>
> The DS is the primary means of metadata exchange for ID-WSF messages,
> though it isn't required (so you can have some ID-WSF environments
> where the service EPR is distributed via some other means -- such
> as the DS EPR showing up in a SAML SSO assertion or when a client
> has a built-in EPR for the AS).
>
> The EPR is the primary Metadata container for ID-WSF invocations.
>
>> 5. Are responses from the WSP signed as well?   In which case I need
>> the public key from the WSP.
>
> They can be.  There's a DS option that can be used in service metadata
> to define when a WSP signs responses (and can be a factor in DS
> queries).
> This is covered in section 3.11 of the Disco spec.
>
>> 6. My signature references the Body, and all of the header elements.
>> Why not sign the SOAP envelope and call it a day?  Is this because
>> portions may be passed on to another end point?
>
> It's part of the WS-Security model because other headers can be
> added/removed as the message is sent through other parties.   Not
> all header elements are required to be signed (all Liberty headers
> are required to be signed, but there can be other headers that
> aren't necessarily signed.  I believe that the WS-Security header  
> itself
> isn't signed as the signature itself is added to that element.
>
>> 7. Does a signed message require an x.509 token?
>
> No.   Signatures can be based upon any of the xmldsig supported  
> models.
> Of course basic public/private keys (which aren't x.590 tokens) can
> be used, but you can also use shared secret signatures.
>
> Conor
>

More information about the Wsf-dev mailing list