Re: WSE a cup of coffee with Softwaremaker and X509
From: andrea (a.canade_at_retis.it)
Date: 10/17/04
- Next message: Julie Lerman: "Re: WSE a cup of coffee with Softwaremaker and X509"
- Previous message: Fraser: "WSDL import"
- In reply to: Softwaremaker: "Re: WSE and X509 trouble thanks to julie and something for codemaker"
- Next in thread: Julie Lerman: "Re: WSE a cup of coffee with Softwaremaker and X509"
- Reply: Julie Lerman: "Re: WSE a cup of coffee with Softwaremaker and X509"
- Messages sorted by: [ date ] [ thread ]
Date: 17 Oct 2004 12:17:02 -0700
Hello SoftwareMaker (see?!! i've correct your nick)
here in Rome we say
"a diner with a woman and a coffee with a friend"
now.. i don't know your sex but if i ever came in Singapore
i'll be glad to accept your offer (i'm sure that Singapore is
wonderfull too)
:) obviusly is the same for you if you ever came in Rome (free
diner...and coffee too he he he )
about X509 thank you
tomorrow i'll test my application using your suggests.. thank you very
much in advance.
there are some [andrea] comments inline below please X509 thread
continue.... :)
ps:
how is Singapore coffee???
> > 1)
> > you've said that policy files define rules that
> > requester and responder must respect.
> >
> > rules means that the framework make the necessary operations to
> > see if a soap request or a soap response is "valid" (integrity of
> > data)
> > and make necessary operations for signing a request or a response!
> >
> > in one word , using policy files we only write:
> >
> > [WebMethod]
> > string Repeat(string word)
> > {return "i've said: " + word; }
> >
> > correct? ( i think yes at 99,9% )
> >
>
> [Softwaremaker] I am not sure I understood you correctly. Could you
> elaborate further ?
[andrea]
simply i guess the framework take care to perform necessary operations
for
retrieve the token and perform "sign check" on request or response
messages
so, if i use policy files i don't write something like:
/*
bool checkX509Signature(SoapContext ctx);
is a method that
check all the tokens in Tokens Collection for a X509SecurityToken in
the
RequestSoapContext.Current
or in a
ResponseSoapContext.Current
*/
[WebMethod]
public string RepeatWord(string word)
{
SoapContext requestContext = RequestSoapContext.Current;
SoapContext responseContext = ResponseSoapContext.Current;
bool isSigned= checkX509Signature(requestContext);
if(isSigned)
{
return "i've said" + word;
}
}
but simply don't change the body of my method
[WebMethod]
public string RepeatWord(string word)
{
return "i've said" + word;
}
i think that's correct!
> [Softwaremaker] I dont know whether we could have misunderstood your
> friend's intentions. When you signed something so that someone can verfiy
> and authenticate it, you CANNOT always assume that the receiving party has
> your Public Key to verify it. Therefore, sometimes, we need to include the
> corresponding certificate along with the signature in the headers of the
> request so that all who receive the message can verify that the request came
> from you and that it was unaltered since you signed it. Including the
> certificate with the request is not required but it does make it convenient
> for those trying to validate the signature.
[andrea] ok!
> The first thing to note about this is that the X.509 v3 certificate that is
> Base 64 encoded which contains your Public Key is encapsulated in a
> BinarySecurityToken element inside the Security header. Again, it is not
> required to be included with the message, but it makes validating the
> signature convenient.
[andrea]
that's ok too, signature validation is the reason
we (my team) put the certificate and the key into the soap request or
response
> A word of caution though, this DOES NOT stop anyone from implementing a
> Mallet attack (MITM attack) and using their own Private Keys to sign the
> contents and then putting in their own Public Keys in the SOAP Respone for
> verification.
[andrea]
i know.... we don't live in a secure world indeed :)
> For a project I did before, I had to do some (out-of-band)
> checking to make sure that only a set of acceptable X509 Cert thumbprints
> are allowed through. I dont think there are any standard ways of doing this
> so you are left up to your own devices. I will blog about this in a future
> post. Do check it out http://www.softwaremaker.net/blog
[andrea]
great! i surely i'll read you
> If Hervey [MSFT] here has some better ideas on how to do this (stop anyone
> from implementing a Mallet attack (MITM attack) and using their own Private
> Keys to sign the contents and then putting in their own Public Keys in the
> SOAP Respone for verification), I would like to hear it as well. I cannot
> offer you FREE dinner in ROME though...how does Singapore sound ? :)
[andra]
i've said that .. accepted with plaisure .. if ever came the day
> [Softwaremaker] AFAIK, I believe there is a NO standard way to publish
> policy files for discovery now BUT there is NO stopping you if you choose to
> publish it in UDDI.
[andrea]
alas, there is no standard way to send policy files..
it could be nice to insert policy files into wsdl files as attachment
or something similar (we could insert xml-schema... why not policy
files? :) )
for now...
e-mail
or make a service "ad hoc" and publish it in UDDI.
- Next message: Julie Lerman: "Re: WSE a cup of coffee with Softwaremaker and X509"
- Previous message: Fraser: "WSDL import"
- In reply to: Softwaremaker: "Re: WSE and X509 trouble thanks to julie and something for codemaker"
- Next in thread: Julie Lerman: "Re: WSE a cup of coffee with Softwaremaker and X509"
- Reply: Julie Lerman: "Re: WSE a cup of coffee with Softwaremaker and X509"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
