Loading ...
Sorry, an error occurred while loading the content.

1907Re: [soaplite] SOAP and SSL Client Certificates

Expand Messages
  • simon.fairey@ft.com
    Oct 9, 2002
    • 0 Attachment
      Ok I'm confused (not hard these days, must be old age!!)

      You mentioned it works with Class/Level 3 certificates? Sorry but I'm pretty new to SSL so that bit lost me.

      So HTTPS does work although there is little support, I notice in the building of SOAPLite it mentions HTTPS support so how do I implement a client/server where a client cert is used as authorisation. At the moment my perl client seems to work but completely ignores any sort of verification process?

      Si


      Byrne Reese <breese@...>

      07/10/2002 16:09

             
              To:        simon.fairey@...
              cc:        John Hartnup <john@...>, SOAP Lite Mailing List <soaplite@yahoogroups.com>
              Subject:        Re: [soaplite] SOAP and SSL Client Certificates



      On Mon, 2002-10-07 at 09:55, simon.fairey@... wrote:
      >
      > I have to then ask how people currently go about deploying secure soap
      > services. Guess I better go and trawl the web and newsgroups a bit :-)

      I don't think one can necessarily attribute the hesitency to use HTTPS
      to secure web services to the lack of support in WSDL. WSDL describes an
      interface - not the transport mechanism to use.

      SAML is good to encrypt data within a SOAP envelope. In other words, if
      you want to protect just some of the data allowing others to still parse
      the XML (i.e. an intermediary) - than SAML seems like a good fit.
      WS-Security comes into play for authentication, and identity
      confirmation... SAML and WS-S have a lot in common, but there are
      certainly some differentiators between them.

      Right now, in my experience at Grand Central where we *only* deploy
      secure Web services is that HTTPS is the only way to go - only because
      it has such wide spread support. It is not the best solution to the
      problem, but it does provide encryption, and some level identity
      confirmation/authentication (when using Class/Level 3 certificates).
      Toolkit support is good for HTTPS, and your web server should make HTTPS
      completely transparent to SOAP::Lite.

      Verisign provides a very useful certificate that Grand Central helped to
      justify the need for: a dual purpose client and server cert. This
      enables you to use the same cert for processing requests as you do for
      sending requests. Very helpful, and it is what we use exclusively.

      IMHO, HTTPS is your best bet for right now. If you will be involving
      lots of intermediaries, take a look at Grand Central - only because it
      can help you to manage your security policies across multiple end
      points.

      BTW - If you think support for HTTPS is weak. Try finding good tools for
      SAML, and WS-S. They are virtually non-existent.

      Byrne

      >
      > Thanks for the reply.
      >
      > Si
      >
      >
      >
      >
      >         John Hartnup <john@...>
      >
      >
      > 07/10/2002 14:52
      > Please respond to John Hartnup
      >
      >         To:        simon.fairey@...
      >         cc:        soaplite@yahoogroups.com
      >         Subject:        Re: [soaplite] SOAP and SSL Client Certificates
      >
      >
      >
      >
      > On Mon, Oct 07, 2002 at 04:12:33PM +0000, simon.fairey@... wrote:
      > > Hi,
      > >
      > > I'm going to be providing some simple functions to a client via an
      > Apache
      > > mod_soap setup. There is also a requirement to use client side
      > > certificates. Now I think I have my server set up correctly and when I
      > try
      > > to acces (using SOAP::Lite) a simple hello msg via https it seems to
      > work
      > > fine with no demands for a client side certificate?
      > >
      > > Assuming my apache is set up properly then my question would be how do
      > you
      > > tell your SOAP client perl script what certificate to use when
      > accessing
      > > an SSL enabled service?
      > >
      > > I'm assuming I'm not barking up the wrong tree, I have the Programming
      > Web
      > > Services with SOAP book and am working through it but have yet to find
      > > much info on SOAP and SSL. Should I be using something like SAML,
      > briefly
      > > skimmed it in the book and now think I might go back and read it in
      > more
      > > detail!!
      >
      > My undersanding (and I look forward to being corrected on this) is that
      > in
      > general SOAP client toolkits do not cater for HTTPS client
      > authentication.
      >
      > One reason might be that WSDL doesn't provide a mechanism (to my limited
      > knowledge) to descibe a service which requires authentication.
      >
      > Another reason is that the community hasn't decided yet whether HTTPS is
      > the
      > right way to go about SOAP security. After all, the lifecycle of a SOAP
      > message
      > isn't limited to a single hop, but SSL only protects the first hope from
      > HTTPS
      > client to HTTPS server.
      >
      > It looks as if WS-Security, or one of its competitors, where the SOAP
      > body
      > consists of an encrypted element, and the SOAP header contains security
      > elements (certificates, tokens, signatures etc.) might be the way
      > security gets
      > done in the future, but at the moment there is no widely accepted way to
      > do it,
      > and certainly none that is widely implemented in a toolkit.
      >
      > You'll have to accept that whatever you implement today will probably
      > never be
      > "standard", and that if that's important to you, you'll need to
      > re-implement to
      > comply with whatever standard emerges, whenever that happens.
      >
      > OTOH, someone please tell me I'm wrong, because I have a service I'd
      > love
      > to deploy, which requires strong security.
      >
      > --
      > ------------------------------------------------------------------------
      >
      > "Feel free to browse, but try not to carouse. Hoho"
      > ------------------------------------------------------------------------
      >
      >
      >
      >
      >
      > This email may contain confidential material. If you were not an
      > intended recipient, please notify the sender and delete all copies.
      > We may monitor email to and from our network.
      >
      > To unsubscribe from this group, send an email to:
      > soaplite-unsubscribe@yahoogroups.com
      >
      >
      >
      > Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service
      > <http://docs.yahoo.com/info/terms/> .
      --
      :/ byrne

      Program Manager
      Grand Central Communications
      breese@...





      This email may contain confidential material. If you were not an
      intended recipient, please notify the sender and delete all copies.
      We may monitor email to and from our network.
    • Show all 9 messages in this topic