[Fedora-suds-list] RFC: proposed WSSE change is suds
Jeff Ortel
jortel at redhat.com
Wed Mar 3 14:51:38 UTC 2010
All,
The following change has been proposed by a suds user. It seems correct but I'm concerned
it may break existing WSSE users. So, if you use WSSE with suds, please review and post
comments.
Thanks,
Jeff
>
> According to the document, there are two mandatory elements - UserName and
> Password, and two optional elements - Nonce and Created.
>
> If Nonce and Created are not used, then Password contains the actual
> password, sent in the clear.
>
> If Nonce and Created are used, then Password must be constructed as follows
>
> Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )
>
> This gives some degree of protection over the password.
>
> It seems to me that suds allows use of Nonce and Created, but still sends
> the password in the clear, which rather defeats the object.
>
> Does this sound right, or am I missing something?
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5126 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/suds/attachments/20100303/a00bf2c2/attachment.bin
More information about the suds
mailing list