An X.509 binary security token is the base64 encoded representation of an X.509 public certificate.
The following table describes the X.509 token type.
X.509 token type | Description |
---|---|
X.509 version 1 | Contains just the X.509 public certificate. |
X.509 version 3 | Contains just the X.509 public certificate. |
PKIPath | Contains an ordered list of X.509 public certificates packaged in a PKIPath. The X509PKIPathv1 token type may be used to represent a certificate path. |
PKCS7 | Contains a list of X.509 certificates and, optionally, certificate revocation lists (CRLs) packaged in a PKCS#7 wrapper. The PKCS7 token may be used to represent a certificate path. |
X.509 tokens are generally used to protect a SOAP message with XML Digital Signature or XML Encryption. Although not recommended, an X.509 token can also be used as an authentication token.
When you authenticate a token, you are verifying that the sender of a token is who he says he is. You take a piece of public information that is sent in the message, such as a a user id, and verify it somehow with a piece of private information that only they can provide, such as a password.
As a very simple example, when you authenticate a UsernameToken, the user name and password are passed in the SOAP message and they are checked against the user registry at the endpoint.
For an X.509 certificate, the public information is the public key/DN and the private information is the private key. Unlike the password for a UsernameToken, the private key is not sent in the message.
After the signature is verified, you know that the sender of the message is the holder of the private key; you know that he is who he says he is.
If you pass an X.509 token in a message without using its private key to sign the message, you will not perform step #2. You will not verify that the sender of the message is the holder of the private key, or he is who he says he is. When you sign a message, you are doing something that only the holder of the private key can do.
It is not recommend that an unprotected X.509 token be sent in a message. If an X.509 token is to be used for authentication, it is recommend that one X.509 token be sent in the message and that X.509 token be used for both Digital Signature and authentication, with a caller configuration. The signing part reference is used in the caller settings.
The following table describes the X.509 token value types.
X.509 token type | Value type |
---|---|
X.509 Version 1 | http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509 |
X.509 Version 3 | http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 |
PKIPath | http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1 |
PKCS7 | http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7 |