Hi Stanislav,
I don't get the point. If we can get the client to sign something,
then we can
verify the signature and be sure that the client possesses the private key
of that
certificate. We can verify the trust for that certificate, so that we
determine whether
we trust the certificate or not. If we trust the certificate and signature
verification is
successful, then we can say that the client is authenticated.
Using the policies, we can ask the client to sent the binary
certificate to us and
even do a trust verification on that cert , but I see no point in it as
authentication
mechanism as anyone can send the binary certificate ( public key ) of
someone else.
Do I miss something ?
Thanks,
Nandana
On Jan 23, 2008 2:49 PM, Stanislav Bacik <[EMAIL PROTECTED]> wrote:
> I'd like to use Rampart for authentication using X509 certificate, but I
> don't want to neither sign nor encrypt message (because of performance of
> the application). Is it possible with Rampart/WSS4J?
>
> Thanks,
> Stanislav
>
--
Nandana Mihindukulasooriya
Software Engineer
WSO2 inc.
http://nandana83.blogspot.com/
http://nandanasm.wordpress.com/
