UA Part 4: Services - 7.40.5 X509IdentityTokens

The X509IdentityToken is used to pass an X.509 v3 Certificate which is issued by the user.

This token shall always be accompanied by a Signature in the userTokenSignature parameter of ActivateSession if required by the SecurityPolicy. The Server should specify a SecurityPolicy for the UserTokenPolicy if the SecureChannel has a SecurityPolicy of None.

X509IdentityTokens have an validity period and a Server shall invalidate the credentials of the Session within a configurable time after the token expires. The Session shall stay valid with the Anonymous Role. If the Server does not allow anonymous users, it should close the Session. Clients should renew the token with ActivateSession before the expiration time to avoid communication interruption or other operation failures.

Table 188 defines the X509IdentityToken parameter.

Table 188 – X.509 v3 Identity Token

Name	Type	Description
X509IdentityToken	structure	X.509 v3 value.
policyId	String	An identifier for the UserTokenPolicy that the token conforms to. The UserTokenPolicy structure is defined in 7.41. Servers that provide a null or empty PolicyId shall accept null or empty and treat them as equal.
certificateData	ByteString	The X.509 v3 Certificate in DER format.