-
A reference to a <BinarySecurityToken> earlier in the WS-Security header, as shown in the preceding example. In this case, the corresponding private key was used to create the signature.
-
Information to identify a certificate, which presumably the message recipient has previously received and stored. For example, the <SecurityTokenReference> could include the SHA1 thumbprint of the certificate, as follows:
<SecurityTokenReference xmlns="[parts omitted]oasis-200401-wss-wssecurity-secext-1.0.xsd">
<KeyIdentifier EncodingType="[parts omitted]#Base64Binary"
ValueType="[parts omitted]#ThumbprintSHA1">
maedm8CNoh4zH8SMoF+3xV1MYtc=
</KeyIdentifier>
</SecurityTokenReference>
As with the previous case, the corresponding private key was used to create the signature.
-
A reference to a <DerivedKeyToken> earlier in the WS-Security header. For example:
<SecurityTokenReference xmlns="[parts omitted]oasis-200401-wss-wssecurity-secext-1.0.xsd">
<Reference URI="#Enc-BACCE807-DB34-46AB-A9B8-42D05D0D1FFD"></Reference>
</SecurityTokenReference>
In this case, the signature was created by the symmetric key indicated by that token.
-
A reference to an implied <DerivedKeyToken>. For example:
<SecurityTokenReference xmlns="[parts omitted]oasis-200401-wss-wssecurity-secext-1.0.xsd"
s01:Nonce="mMDk0zn8V7WTsFaIjUJ7zg=="
xmlns:s01="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512">
<Reference URI="#Id-93F97220-568E-47FC-B3E1-A2CF3F70B29B"></Reference>
</SecurityTokenReference>
In this case, the URI attribute in <Reference> points to the <EncryptedKey> element used to generate the <DerivedKeyToken>, and the Nonce attribute indicates the nonce value that was used.
As with the previous case, the derived key was used to encrypt the data.