Re: Signing/Encrypting with kerberos token or usernametoken
From: Hervey Wilson [MSFT] (herveyw.nospam_at_nospam.microsoft.com)
Date: 09/28/04
- Next message: Hervey Wilson [MSFT]: "Re: Policy settings tool and username tokens (not x509)"
- Previous message: Hervey Wilson [MSFT]: "Re: How to generate username or kerberos tokens automatically"
- In reply to: IP: "Re: Signing/Encrypting with kerberos token or usernametoken"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 27 Sep 2004 22:27:45 -0700
IP wrote:
> The sample just shows signing with the username token. I take it that the
> username token can also be used to somehow encrypt the message also.
>
> Is there some place where I can find details of how the username is used to
> sign and encrypt the message. I would like to understand the mechanism.
>
> I take it that the password is no longer in plain text in a message that is
> signed and encrypted with the username token ... because if it is not, can't
> someone sniff the password and replace the signed encrypted message with one
> of their own?
>
> Thanks again,
> IP
>
> "Hervey Wilson [MSFT]" wrote:
>
>
>>Indra wrote:
>>
>>>How can I define a policy that would sign and/or encrypt with a kerberos
>>>token or a usernametoken (I am assuming you can sign with a usernametoken, I
>>>don't know if that is true). The WSE Visual Studio plug-in only lets you
>>>configure certificates for signing and encrypting.
>>>
>>>I am hoping to start with a policy file such as the following:
>>><wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
>>> xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext/">
>>> <wsp:ExactlyOne>
>>> <wsse:SecurityToken wsp:Usage="wsp:Required" wsp:Preference="10">
>>> <wsse:TokenType>wsse:Kerberosv5TGT</wsse:TokenType>
>>> </wsse:SecurityToken>
>>> <wsse:SecurityToken wsp:Usage="wsp:Required" wsp:Preference="1">
>>> <wsse:TokenType>wsse:UsernameToken</wsse:TokenType>
>>> </wsse:SecurityToken>
>>> </wsp:ExactlyOne>
>>></wsp:Policy>
>>>
>>>Thanks in advance,
>>>Indra
>>>
>>
>>Check the QuickStart samples for the product: each sample has a code
>>variant and a policy variant, the UsernameToken signing example should
>>have what you need.
>>
>>--
>>This posting is provided "AS IS", with no warranties, and confers no rights.
>>
You should not use the UsernameToken to both sign and encrypt a message
to a service; instead you should sign with the username token and then
encrypt the token and the message using the services token. If you don't
have the services token, you should strongly consider sending this
initial message over a secure channel (always a good thing w/ the
UsernameToken).
The response from the service can be encrypted with the clients signing
token by marking the signing token in policy as the identity token. This
should be illustrated in the ResponseEncryption sample.
-- This posting is provided "AS IS", with no warranties, and confers no rights.
- Next message: Hervey Wilson [MSFT]: "Re: Policy settings tool and username tokens (not x509)"
- Previous message: Hervey Wilson [MSFT]: "Re: How to generate username or kerberos tokens automatically"
- In reply to: IP: "Re: Signing/Encrypting with kerberos token or usernametoken"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
