Re: Policy settings tool and username tokens (not x509)

From: Hervey Wilson [MSFT] (herveyw.nospam_at_nospam.microsoft.com)
Date: 09/28/04 

Date: Mon, 27 Sep 2004 22:40:19 -0700

Julie Lerman wrote:
> If I am starting out with username ONLY , no x509 etc certificates in my
> wse2 solution, I'm confused by the need (via settings tool) to select a
> digital certificate.
>
> I'm securing a client application.
>
> I have (for now) deselected require sigs and encryption on the request
> message and selected only requires signatures on the reponse (outgoing)
> message, since I am only interested in my webservice being sure of WHO is
> making the request.
>
> However I still get the Trusted Server Certificates window with the info
> "Choose the x.509 certificates that can be used to authenticate the service.
> This certificate will be used if Request Encryption is chosen."
> I have not chosen request encrtypion.
>
> I would really like to use wse2 to secure my client's application right now
> without telling them they have to go out and buy x509 certificates for 40
> machines and their servers.
>
> So I want to implement this using username only.
>
> Thanks
>
> Julie
>
>

You cannot do this securely with only a UsernameToken, this is why the
tool asks for the services token so that it can not only sign the
message but also encrypt it and the UsernameToken.

Having both client and server tokens allows the default WSE client to
enforce at least a limited form of mutual authentication: the client
signs with token A and encrypts with token B, it then requires that the
response be encrypted with token A and signed with token B. Anything
less leaves response messages open to attack.

You don't have to buy 40 certificates at all, unlike HTTPS WSE will not
require that the CN name in the certificate match the name of the
computer that the request is sent to. You could therefore use the same
certificate on a number of servers (be sure to block export of the key
and set restrictive permissions on it to prevent physical attacks
against the servers). 

-- 
This posting is provided "AS IS", with no warranties, and confers no rights.

Relevant Pages

  • RE: Unable to unwrap a symmetric key using the private key of an X.509
    ... When I create my own certificate and install it in the stores, ... my client application that is consuming my WSE enabled webservice receives ... <request signatureOptions="IncludeAddressing, IncludeTimestamp, ... <response signatureOptions="IncludeAddressing, IncludeTimestamp, ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Unable to authenticate via kerberos to IIS site accepting clie
    ... the dialog for selecting a certificate, IE accesses the page with integrated ... authenticated user" have no relation to the size of the request. ... Client Certificates are negotiated before server even sees the data, ... and Kerberos protocol of Integrated Authentication can affect the size ...
    (microsoft.public.inetserver.iis.security)
  • SNA 3270 to IP TN3270 Conversion =?ISO-8859-1?Q?=96?= Data Stream Encryption
    ... asked them on their thoughts regarding data stream encryption, ... which means that all data is encrypted before it is sent to the client. ... certificate and the keys from three different places: ... SSL client authentication provides additional authentication and access ...
    (bit.listserv.ibm-main)
  • RE: Help Newbie..Upload file from SQL Server
    ... Enable SSL Encryption for SQL Server 2000 with Microsoft Management ... Steps to Use to Install a Certificate on a Server with Microsoft Management ... Steps to Enable Encryption for a Specific Client ...
    (microsoft.public.sqlserver.programming)
  • Re: Windows 2003 + Certificate Store + AcquireCredentialsHandle + SEC_E_UNKNOWN_CREDENTIALS
    ... >The client sends a PKCS#10 request to the CA. ... >certificate, such as the subject name, any extensions, and the public key. ... the client, before the client sends the request to the CA. ...
    (microsoft.public.platformsdk.security)