WSE X.509 certificate capability

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

mk - 01 Sep 2005 18:04 GMT

The following is an excerpt from an article located at:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wse/html/9c2138
28-815e-41cd-9d54-419bf64c0301.asp

WSE validates that a digital signature is cryptographically correct, however
user code or Policy should be used to verify that a signature exists and that
the signature applies to the expected set of XML elements.
-----------------------------------------------------------------------

Can anybody please explain what this statement exactly means? Does not WSE
check that a signature exist? Does it not verify that the signature belongs
to the incoming SOAP request?

Reply to this Message

Pablo Cibraro - 01 Sep 2005 20:30 GMT

Yes, the policies shipped within WSE 3.0 to support all turn key scenarios
verifies that signature applies to all expected set of XML elements ( All
those elements specified in the enum
"Microsoft.Web.Services3.Security.SignatureOptions).
If you want to verify the signature for other custom elements, then you have
to write custom code to do that. (For example, to verify the signature on a
custom SOAP header).
The same happens if you have to write a custom security policy.

Regards,
Pablo Cibraro
www.lagash.com

> The following is an excerpt from an article located at:
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wse/html/9c2138
28-815e-41cd-9d54-419bf64c0301.asp
[quoted text clipped - 11 lines]
> belongs
> to the incoming SOAP request?

Reply to this Message

WSE X.509 certificate capability

Free Magazines