3.3.4.1.1.1.2 GetPolicies using Certificate Authentication

The GetPolicies request message is sent from the client to the server to retrieve the certificate policies for enrollment.

   <wsdl:message name="IPolicy_GetPolicies_InputMessage">
     <wsdl:part name="request" element="xcep:GetPolicies"/>
   </wsdl:message>

xcep:GetPolicies: An instance of a <GetPolicies> element as specified in [MS-XCEP] section 3.1.4.1.2.1. MDE2 modifies the GetPolicies message defined in [MS-XCEP] section 3.1.4.1.1.1.

Authentication MUST be implemented for this message as defined in section 3.3. In summary, the following elements and attributes MUST be specified in the SOAP header:

wsse:Security: The <wsse:Security> element MUST be a child of <s:Header>.

u:Timestamp: The <u:Timestamp> element MUST be a child of <wsse:Security> in <s:Header> for certificate authentication.

u:Created: The <u:Created> element MUST be a child of <u:Timestamp> in <s:Header> for certificate authentication. The value is a date/time.

u:Expires: The <u:Expires> element MUST be a child of <u:Timestamp> in <s:Header> for certificate authentication. The value is a date/time.

wsse:BinarySecurityToken: The <wsse:BinarySecurityToken> element MUST be a child of <wsse:Security> in <s:Header> for certificate authentication.

wsse:BinarySecurityToken/attributes/ValueType: The value type MUST be " http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" for certificate authentication.

wsse:BinarySecurityToken/attributes/Id: The value is a string.

wsse:BinarySecurityToken/attributes/EncodingType: The <wsse:BinarySecurityToken> EncodingType attribute MUST be http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary for certificate authentication.

ds:Signature: The <ds:Signature> element MUST be a child of <wsse:Security> in <s:Header> for certificate authentication.

ds:SignedInfo: The <ds:Signature> element MUST be a child of <ds:Signature> in <s:Header> for certificate authentication.

ds:CanonicalizationMethod: The <ds:CanonicalizationMethod> element MUST be a child of <ds:SignedInfo> in <s:Header> for certificate authentication.

ds:CanonicalizationMethod/attributes/Algorithm: The <ds:CanonicalizationMethod> Algorithm attribute MUST be "http://www.w3.org/2001/10/xml-exc-c14n#".

ds:SignatureMethod: The <ds:SignatureMethod> element MUST be  a child of <ds:SignedInfo> in <s:Header> for certificate authentication.

ds:SignatureMethod/attributes/Algorithm: The <ds:SignatureMethod> Algorithm attribute MUST be "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256".

ds:Reference: The <ds:Reference> element MUST be a child of <ds:SignedInfo> in <s:Header> for certificate authentication.

ds:Reference/attributes/URI: The <ds:Reference> URI attribute MUST be "".

ds:Transforms: The <ds:Transforms> element MUST be a child of <ds:Reference> in <s:Header> for certificate authentication.

ds:Transform: The <ds:Transform> element MUST be a child of <ds:Reference> in <s:Header> for certificate authentication.

ds:Transform/attributes/Algorithm: The <ds:SignatureMethod> Algorithm attribute MUST be "http://www.w3.org/2000/09/xmldsig#enveloped-signature".

ds:DigestMethod: The <ds:DigestMethod> element MUST be a child of <ds:Reference> in <s:Header> for certificate authentication.

ds:DigestMethod/attributes/Algorithm: The <ds:DigestMethod> Algorithm attribute MUST be http://www.w3.org/2001/04/xmlenc#sha256".

ds:DigestValue: The <ds:DigestValue> element MUST be a child of <ds:Reference> in <s:Header> for certificate authentication. The value is a string.

ds:SignatureValue: The <ds:SignatureValue> element MUST be a child of <ds:Signature> in <s:Header> for certificate authentication. The value is a string.

ds:KeyInfo: The <ds:KeyInfo> element MUST be a child of <ds:Signature> in <s:Header> for certificate authentication.

wsse:SecurityTokenReference: The <wsse:SecurityTokenReference> element MUST be a child of <ds:KeyInfo> in <ds:Signature> in <s:Header> for certificate authentication.

wsse:Reference: The <wsse:Reference> element MUST be a child of <wsse:SecurityTokenReference> in <s:Header> for certificate authentication.

wsse:Reference/attributes/URI: The <wsse:Reference> URI attribute is a string.

wsse:Reference/attributes/ValueType: The <wsse:Reference> ValueType attribute MUST be "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509".

The following elements with their specified values MUST be included in the SOAP body of the request message.

xcep:requestfilter: MDE2 modifies the <GetPolicies> element by setting the <requestFilter> element xsi:nil attribute to "true" (see [MS-XCEP] section 3.1.4.1.2.1).

xcep:lastUpdate: MDE2 modifies the <GetPolicies> xcep:client attribute by setting the <Client> <lastUpdate> element xsi:nil attribute to "true" (see [MS-XCEP] section 3.1.4.1.3.9).

xcep:preferredLanguage: MDE2 modifies the <GetPolicies> xcep:client attribute by setting the <Client> <preferredLanguage> element xsi:nil attribute to "true" (see [MS-XCEP] section 3.1.4.1.3.9).