Re: client/server clock synchronisation for username signing(WSE 1.0)
From: Manuj Aggarwal (manuj_at_canada.com)
Date: 05/07/04
- Next message: Manuj Aggarwal: "Re: GetPassword from different databases?"
- Previous message: OAR: "Re: AuthenticateToken"
- In reply to: casey chesnut: "Re: client/server clock synchronisation for username signing(WSE 1.0)"
- Next in thread: casey chesnut: "Re: client/server clock synchronisation for username signing(WSE 1.0)"
- Reply: casey chesnut: "Re: client/server clock synchronisation for username signing(WSE 1.0)"
- Reply: Tim Mackey: "Re: client/server clock synchronisation for username signing(WSE 1.0)"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 7 May 2004 10:07:59 -0700
Quoting Tim:
"will fail with a message expired, or timeout expired message."
Please correct me if I am wrong but isn't the expiry of a message determined
by the TimeStamp header:
<wsu:Timestamp
xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility">
<wsu:Created>2002-11-04T19:16:50Z</wsu:Created>
<wsu:Expires>2002-11-04T19:21:50Z</wsu:Expires>
</wsu:Timestamp>
The TimestampInputFilter and TimestampOutputFilter determine the age of the
message by checking this header. Once I remove the filters - the message
will never expire.
Another way to make a message live forever is:
// Retrieve the response's soap context
SoapContext responseContext = HttpSoapContext.ResponseContext;
// Set the expiration on the response to infinite
responseContext.Timestamp.Ttl = 0;
Manuj Aggarwal
"casey chesnut" <casey@braSPAMins-N-braSPAMwn.com> wrote in message
news:#AI0M2ENEHA.3712@TK2MSFTNGP10.phx.gbl...
> i was thinking <Nonce/> and <Created/> from the UsernameSigningToken.
> i'm assuming that is what Tim meant with his last comment?
> in that case, the Nonce and Created Timestamp are part of the ultimate
hash
> that gets sent across the wire.
> casey
> http://www.brains-N-brawn.com
>
>
> "Manuj Aggarwal" <manuj@canada.com> wrote in message
> news:%236C0cuENEHA.3420@TK2MSFTNGP11.phx.gbl...
> >I may be missing something here - but I do not think the TimeStamp
> > SoapHeader affect Nonce at all. TimeStamp header just dictates what is
the
> > life of each message.
> > If you do not care about messages being too old - then removing the
> > timestamp header should be just as secure (provided you are using other
> > security mechanisms).
> >
> > Manuj Aggarwal
> >
> >
> >
> > "Tim Mackey" <tim@mackey.ie> wrote in message
> > news:2g0ur9F37q5eU1@uni-berlin.de...
> >> Hi Manuj,
> >> that's an interesting idea. would you have any comment on how secure
it
> >> would be? i think the nonce would be enough to salt the password hash
> >> (without using the timestamp aswell), and as long as i prevent
duplicate
> >> nonce values, it should be quite secure?
> >>
> >> thanks
> >> tim
> >>
> >>
> >
> >
>
>
- Next message: Manuj Aggarwal: "Re: GetPassword from different databases?"
- Previous message: OAR: "Re: AuthenticateToken"
- In reply to: casey chesnut: "Re: client/server clock synchronisation for username signing(WSE 1.0)"
- Next in thread: casey chesnut: "Re: client/server clock synchronisation for username signing(WSE 1.0)"
- Reply: casey chesnut: "Re: client/server clock synchronisation for username signing(WSE 1.0)"
- Reply: Tim Mackey: "Re: client/server clock synchronisation for username signing(WSE 1.0)"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
