Nonce on plain text UsernameToken may still important and may should be used unencrypted in security header ?
is a discussion for Nonce on plain text UsernameToken. Glen Mazza wrotes that Nonce on encrypted transport makes no sence and this might be the reason why metro does not implement it.
.. metro uses Nonce only on digest password profile, which can be used with unencrypted transport..
Here I have a question about reply attacks using the whole soap message. :
..Bad guys can sniff the whole enccrypted message ( SSL or XmlEncryption ) and attack the service with this sniffed data ..
Is this so ?
-> From my point of view a Nonce should be placed unencrypted on every message, so that the service can reject it very fast without encryption overhead on reply attacks.
What is the WS-Security answer to this and what is the answer of metro ?
Regards, Andre, Berlin !