SourceForge : Post

Project: Editor Discussion > REC:Secure Communication Profile 1.0 > Request for true "mutually-authenticated" X509 policy > List of Posts

Forum Topic - Request for true "mutually-authenticated" X509 policy: (2 Items)

View: as

Update

Duane Merrill

03/25/2008 12:28 PM

post5991

Request for true "mutually-authenticated" X509 policy

As mentioned in the previous comment, the "MutualX509" message-level policy is actually an "X.509 authentication of 
message sender to message reciever" policy.  In the case of one-way exchange patterns, the reciever's identity is never 
authenticated to the sender at all (as opposed to upon reciept of the response message).  There should probably be an 
additional policy for the common message-level sign/encrypt scenario: with protection analagous to SSL/TLS that provides
 authentication of the recipient to the sender through encryption.  The policy document would reference the current "
MutualX509" policy (or whatever it is renamed to) with the addition of the following subpolicy:

<wsp:Policy>
   <sp:EncryptedParts>
      <sp:Body/>
      <Header namespace="http://www.w3.org/2005/08/addressing"/>
   </sp:EncryptedParts>
   <sp:EncryptedElements>
      <sp:XPath>/Envelope/Header/*[@isReferenceParameter="true"]</sp:XPath>
   </sp:EncryptedElements>
</wsp:Policy>

This sign/encrypt policy might either called "MutualX509" upon renaming of the current policy of that name, or perhaps "
SecureX509".

Duane Merrill

05/01/2008 10:44 AM

post6017

Re: Request for true "mutually-authenticated" X509 policy

Resolved: left as-is.  As discussed previously, the existing "Mutual X.509" is, in fact, mutual.  Encryption is not 
exactly authenticating the recipient.  It's simply providing confidentiality.

-Duane

Return