[wsf-dev] signing questions
Asa Hardcastle
asa.openliberty at zenn.net
Fri Feb 15 15:48:38 PST 2008
Ah.
> It also depends on how you "sign". The TLS:SAMLV2 method means TLS +
> a SAML
> assertion + a signature, I think.
this makes sense. It seems that according to the idwsf-sec-mech core
v2 (6.3.4 line 595) I need to include a ds:KeyInfo to describe the key
needed to validate the signature, unless I am using peer (see below)
> The TLS:peerSAMLV2 method would be TLS + SAML assertion and that's
> it. Still
> "signed" but with TLS.
Peer means that the message contains a signature that uses the same
keys that the TLS layer is using, right? Or am I not understanding
this correctly?
>> The EPR is the primary Metadata container for ID-WSF invocations.
>
> Yes, but that metadata doesn't include the key (pun intended) piece of
> metadata, the KeyDescriptors. SAML metadata can be used to establish
> the
> trust layer.
I like the pun ;) - basically though, I either need to include the
public key in the message, or a reference to that public key so that
the result of the signature can be validated, right?
> There's also the fact that the message doesn't have to include the
> certificate. Usually does, but that's a hint.
By usually does, you mean that the public key is usually included in
the KeyInfo? By hint do you mean a reference to the key?
thanks,
asa
More information about the Wsf-dev
mailing list