Perhaps the OP isn't familiar enough with X.509 certificates? I'm
assuming that the APIs involved allow callers to see and validate the
other end's cert.
________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 30, 2004 2:30 AM
To: [EMAIL PROTECTED]
Subject: RE: Signed SOAP messages
Digital Signature is a tool for achieving authentication. And
SSL does a (Client/Server) authentication before the encryption process
(that improvises confidentiality). So why do we need to do
authentication again ( by signing the soap messages) ? At the
application layer , are we assuming that the soap messages can be
mapped to users whose identity is independent of what the SSL reveals ?
- Parag
------------------------------------------------------------------------
---------------------------------------------------------
With SSL, you can be reasonably sure that no one can listen to
the conversation, but
if the messages are signed as well, you can be sure of the
identity of whom you are
speaking with. SSL alone does not do this.
Russ
*********************** HSS-Unclassified
***********************
