usernameForCertificate

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

Mark - 17 Apr 2006 18:24 GMT

When using the usernameForCertificateAssertion do I need to encrypt the soap
header or body or both to ensure that the username and password is not
unencrypted over the wire?

Thank You in advance.

Reply to this Message

Pablo Cibraro - 17 Apr 2006 19:44 GMT

Hi Mark,

The UsernameForCertificateAssertion always encrypts the UsernameToken (User
+ password) for you. I mean, you do not need to specify any special setting.

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax

> When using the usernameForCertificateAssertion do I need to encrypt the
> soap header or body or both to ensure that the username and password is
> not unencrypted over the wire?
>
> Thank You in advance.

Reply to this Message

Steven Cheng[MSFT] - 18 Apr 2006 06:15 GMT

Hi Mark,

As Pablo has mentioned, when you have applied the UsernameForCertificate
policy assertion, by default the assertion will encrypt the SOAP message's
body and those certain SOAP header which include security data(the
WSE:security header....). And you do not need to manually do the encrypting
work. And it is when you use some Transport layer secure channel that do
you need to manually do the secure work. For example, if you're using
usernameOverTransport policy assertion, the assertion won't secure the SOAP
message and the token embeded in the message, you need to secure it by
using some secure transport channel like HTTPS/SSL.

Regards,

Steven Cheng
Microsoft Online Community Support

==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Reply to this Message

usernameForCertificate

Free Magazines