[wsf-dev] signing questions
Scott Cantor
cantor.2 at osu.edu
Fri Feb 15 16:32:31 PST 2008
> > aren't necessarily signed. I believe that the WS-Security header itself
> > isn't signed as the signature itself is added to that element.
>
> It is. The Reference to that header has an enveloped transform in it to
> exclude the Signature.
Sorry for the error, as you noted on the other list, it's usually just
pointing at children inside the header, not signing the actual header. (It
could sign it, but that would limit the mutability of the header. Which is
irrelevant in 99% of the cases, but that's just how it's done.)
-- Scott
More information about the Wsf-dev
mailing list