Davide, to answer your questions about encryption need to check WSPolicy. But as of today there is AFAIK, no WS Security Profile that supports a way to encrypt a body directly with asymmetric keys, only via the indirection of symmetric keys/encryption.
Regards, Werner > -----Ursprüngliche Nachricht----- > Von: Davide Romanini [mailto:[EMAIL PROTECTED] > Gesendet: Freitag, 24. Juni 2005 11:48 > An: [email protected] > Betreff: Re: AW: Impose policies programmatically > > > Il giorno gio, 23/06/2005 alle 16.48 +0200, Dittmann, Werner > ha scritto: > > Davide, > > > > a lot of questions :-). > > > > IMHO some of your requirements could be added by improving the > > return data of WSSecurityEngine. Maybe we can have a discussion > > about it - what could/should go into this. As you have mentioned > > some data is already provided to the service via the result vector > > (btw, SND_SECURITY is as far as I can remember not usable for > > this because it is used for other purposes - need to check though) > > Some improvement should be nice, someone could start writing a > WS-Policy/WS-SecurityPolicy implementation ;-) > > > About your question for asymmetric encryption: this is not forseen > > in the OASIS specs. It is anyhow not a good idea to use asymmetric > > encyrption for large amount of data, usually only a session key > > (genetraed via random generators) is encrypted. This session > > key is used as key for symmetric encryptino which is much faster. > > There are also additional concerns about the use of asymmetrical > > methods for encryption (maybe you need to refer to some books here). > > I'm sure using asymmetric key could be a performance bottleneck for > large messages. What I don't understand is if I can anyway use it > instead of attaching EncryptedKeys for each message. > > Another thing is related to WS-SecurityPolicy: I can impose a > Confidentiality constraint to messages, specifying the security token > used for encryption (an X.509 certificate). My doubt starts here: the > certificate has to be used to actually encrypt the message > part or only > the attached EncryptedKey?? The policy seems not to have any reference > to encrypted keys, but only to security tokens like the certificate > itself! > > For example, I wrote this policy: > > <wssp:Confidentiality wsp:Usage="wsp:Required"> > <wssp:Algorithm Type="wssp:AlgEncryption" > URI="http://www.w3.org/2001/04/xmlenc#3des-cbc"; /> > <wssp:KeyInfo> > <wsse:SecurityTokenReference> > <wsse:KeyIdentifier > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401 > -wss-x509-token-profile-1.0#X509SubjectKeyIdentifier"> > [ . . . ] > </wsse:KeyIdentifier> > </wsse:SecurityTokenReference> > </wssp:KeyInfo> > <wssp:MessageParts > Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part";> > wsp:Body() > </wssp:MessageParts> > </wssp:Confidentiality> > > What does it mean? The body must then be encrypted using the x.509 > certificate or the EncryptedKey has to be encrypted using the > certificate? > > I googled around a bit, but I can't find much documentation and real > life examples... > > Bye, > Davide Romanini > >
