OASIS ebXML Messaging Services TC

Matching certificate to From/PartyId in message signing

  • 1.  Matching certificate to From/PartyId in message signing

    Posted 04-24-2018 08:10
    Hi, Some ebMS3/AS4 deployments use a PKI approach for signing certificates and expect P-Modes and/or trust store to be configured just for the accepted roots,   not for leaf certificates.  In this approach, a receiving MSH is expected to check that the presented certificate is valid and chains to (one of) the accepted root(s).  It does not need to check that the presented leaf certificate itself is trusted. However,  an additional check is needed to check that the presented certificate is issued to the sender.  This check would compare the CN (or some other attribute value) in the certificate to the From/PartyId value.  If this check fails,  I am wondering how this failure is reported.  I see (at least) two approaches: 1)   it is considered an authentication failure to be reported using a wsse:FailedAuthentication SOAP Fault.  But this assumes that the WS-Security module is somehow extended to do additional ebMS3-specific checks. 2)   it is considered a P-Mode inconsistency that could be reported using the EBMS:0003,  ValueInconsistent.  This can even be checked before signature validation. I so far know one product implements option (1).    I am wondering what other implementations are doing? We could also leave the specifics to implementations,  as long as a failure is raised.  I'm asking as a user is extending its testbed to cover for this case. Kind Regards, Pim