Re: Server Side - Sender Encryption Question

Richard,

well, if you spend the effort to maintain all your client's certs
you can do it, but with the help of your Web Service.

When receiving a request (signed or using UsernameToken) your
web service can determine which client sent it (see some info
in FAQ). Using this information you can setup the name (alias)
to use for encryption (can be done programmatically). If
you do so just don't specify this parameter in the server's
WSDD file.

Examples how to setup parameters dynamically can be found
in the testcases (test/interop/TestJAXRPCHandler).

Regards,
Werner

Richard Wareing wrote:
> Hi Abdul,
> 
>  
> 
> Thanks for the response.  The solution looks quite elegant, however
> won’t using the useReqSigCert feature on the server’s WSDoAllSender
> cause the sender to encrypt using the same public key used to verify the
> requesters signature?  I was reading that it is best to use separate
> key-pairs for signing & encryption (Ref:
> http://www.washington.edu/computing/windows/issue22/encryption.html; see
> “Keys, Keys, and More Keys” ).
> 
>  
> 
> That said, what is everyone’s experience with this, is it overkill to
> complicate key management for the benefits they cite?
> 
>  
> 
> Regards,
> 
>  
> 
> Richard Wareing
> 
> Reimer Technology Group
> 
>  
> 
>  
> 
> -----Original Message-----
> *From:* Abdul Ashik 
> [mailto:abdul.ashik-Re5JQEeQqe8AvxtiuMwx3w@xxxxxxxxxxxxxxxx]
> *Sent:* 2005 September 29 2:18 PM
> *To:* Richard Wareing
> *Cc:* Apache WSS4J-Dev Mailing List
> *Subject:* Re: Server Side - Sender Encryption Question
> 
>  
> 
> Hi Richard,
> 
> Check out the WSS4J FAQ:
> 
> http://wiki.apache.org/ws/FrontPage/WsFx/wss4jFAQ#many
> 
> "To perform response encryption set the encryption user name to
> "useReqSigCert". This is a special name that directs the WSDoAllSender
> handler to use the stored client's certificate (the clients public key)
> to perform response encryption."
> 
> Cheers,
> Ash
> 
> On 9/29/05, *Richard Wareing* <wareing-y0/d7ZP22M8@xxxxxxxxxxxxxxxx
> <mailto:wareing-y0/d7ZP22M8@xxxxxxxxxxxxxxxx>> wrote:
> 
> Is there a method of having the client request a particular encryption
> key be used to encrypt the response data?
> 
> What I'm trying to do here is have each web service user submit to us
> their public encryption key and use that to encrypt the data back to
> them (in conjunction with signing).  In other words, depending on the
> particular user that might be using the web service, we would use a
> specific public key to encrypt data back to them.
> 
> Is there a way to accomplish this?
> 
> Richard Wareing
> Reimer Technology Group
> 
> 
> ---
> [This E-mail scanned for viruses by Declude Virus]
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: 
> wss4j-dev-unsubscribe-28n8OjmUYWfNLxjTenLetw@xxxxxxxxxxxxxxxx
> <mailto:wss4j-dev-unsubscribe-28n8OjmUYWfNLxjTenLetw@xxxxxxxxxxxxxxxx>
> For additional commands, e-mail: 
> wss4j-dev-help-28n8OjmUYWfNLxjTenLetw@xxxxxxxxxxxxxxxx
> <mailto:wss4j-dev-help-28n8OjmUYWfNLxjTenLetw@xxxxxxxxxxxxxxxx>
> 
>  
>