Signing with WSE 2.0, no cert on the server side, still works

Signing with WSE 2.0, no cert on the server side, still works

Post by danhana » Thu, 30 Jun 2005 06:19:09


I'm new to WSE, and have my first web service using WSE 2.0 working
successfully with the client signing the outbound message to the web
service.

I am now deploying the web service to a machine other than my dev box
(where all the certs are), and was surprised to see it working
successfully, even before I put the client/calling public key cert on
the web service machine.

I dug a little deeper and found that for the purposes of signing a SOAP
message, the caller public key is sent along with the message, so the
receiver doesn't need the cert - can just find the public key there.
(I think I've verified this by finding the wsse:BinarySecurityToken
element in the outbound message.)

So the question (or maybe really just a clarification):

The cert I have signed with on the client side is one created with the
MAKECERT tool, so it's derived from the "Test Root". Do details about
the cert (CN, etc) and the "certification path" get sent along with the
public key in the message?

Without the caller's full public key cert installed on the web service
machine, how does WSE know that it's derived from "Test Root" (which is
OK for now with the allowTestRoot=true setting)?

Or...does the web service machine not care about the cert path at the
point of verifying the signature. Maybe all it cares about is that the
message:
1) signature gets verified properly against the public key
2) cert matches the Subject Name and extension configured in the web
service policyCache.config file?