Il giorno gio, 23/06/2005 alle 16.48 +0200, Dittmann, Werner ha scritto:
> Davide,
>
> a lot of questions :-).
>
> IMHO some of your requirements could be added by improving the
> return data of WSSecurityEngine. Maybe we can have a discussion
> about it - what could/should go into this. As you have mentioned
> some data is already provided to the service via the result vector
> (btw, SND_SECURITY is as far as I can remember not usable for
> this because it is used for other purposes - need to check though)
Some improvement should be nice, someone could start writing a
WS-Policy/WS-SecurityPolicy implementation ;-)
> About your question for asymmetric encryption: this is not forseen
> in the OASIS specs. It is anyhow not a good idea to use asymmetric
> encyrption for large amount of data, usually only a session key
> (genetraed via random generators) is encrypted. This session
> key is used as key for symmetric encryptino which is much faster.
> There are also additional concerns about the use of asymmetrical
> methods for encryption (maybe you need to refer to some books here).
I'm sure using asymmetric key could be a performance bottleneck for
large messages. What I don't understand is if I can anyway use it
instead of attaching EncryptedKeys for each message.
Another thing is related to WS-SecurityPolicy: I can impose a
Confidentiality constraint to messages, specifying the security token
used for encryption (an X.509 certificate). My doubt starts here: the
certificate has to be used to actually encrypt the message part or only
the attached EncryptedKey?? The policy seems not to have any reference
to encrypted keys, but only to security tokens like the certificate
itself!
For example, I wrote this policy:
<wssp:Confidentiality wsp:Usage="wsp:Required">
<wssp:Algorithm Type="wssp:AlgEncryption"
URI="http://www.w3.org/2001/04/xmlenc#3des-cbc"; />
<wssp:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier";>
[ . . . ]
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</wssp:KeyInfo>
<wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part";>
wsp:Body()
</wssp:MessageParts>
</wssp:Confidentiality>
What does it mean? The body must then be encrypted using the x.509
certificate or the EncryptedKey has to be encrypted using the
certificate?
I googled around a bit, but I can't find much documentation and real
life examples...
Bye,
Davide Romanini
