Re: message encryption

Hello Peter,
To answer your question, On why its implicit in nature, take the example of transport dependent message integrity (SSL) here the certificate is assumed (implicitly) to be issued to the server of the same name as the hostname of the endpoint you're hitting. Moving to a transport agnostic message level encryption, If the client is talking to a web service then it is implicitly aware of the service contract, which includes, address, policies, and schema of the messages that establish the conversation between client and server. Policies are the best way to communicate identity and message level security that the server expects. So if you are looking for the best practice for mapping the service name to an identity, that would be it. 

HTH
Regards,
Dilip Krishnan
MCAD, MCSD.net
dkrishnan at geniant dot com
http://www.geniant.com

1. I don't see how it is implicit. The endpoint is either coded in the
WSDL or stored in a config file. Similarly our web services run under
specific user identities (for security, costing etc). Is there a best
practice for mapping the service name to an identity?

2. Is there a way to automate this? The clients are on the intranet.
"Dilip Krishnan" <dkrishnan@xxxxxxxxxxxxxxxxxx> wrote in message
news:uYrY0dZNFHA.2544@xxxxxxxxxxxxxxxxxxxxxxx

Peter,

I want to be able to encrypt part of a soap message. I understand I
need
the public key of the identity running the web service I am sending
the
message to. My Questions are
a) Where do I get the name of the identity I am sending the message
to?

This is implicit in nature, just like you know the endpoint of the
service you are hitting, you will know the identity of the service
aswell. By, refering to public key you are using PKI (X509
cerficates). So the service should give the public cert that the
clients need to be using

b) How do I distribute the web service identity's public keys (in a
intranet environment)? Do I use the LocalMachineEnterprise store?
How?

Certificate distribution is always a problem. You can export
certificates on the server using the MMC plug-in for certificates.
And then give the .cer (containing the public key) files to all the
clients.

Thanks

--
HTH
Regards,
Dilip Krishnan
MCAD, MCSD.net
dkrishnan at geniant dot com
http://www.geniant.com




.

Relevant Pages

  • Re: message encryption
    ... public key of the identity running the web service I am sending the message to. ... refering to public key you are using PKI. ... certificates on the server using the MMC plug-in for certificates. ... And then give the .cer files to all the clients. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Certificate Services - What is it?
    ... So for uncontrolled crowd e.g. clients it makes sense to use a commercial CA ... Two thing to be awaare of: hand-made certificates offer exactly the same ... > authenticate the server to the user and to authenticate the user to the ...
    (microsoft.public.security)
  • Re: Commercial Certificate
    ... the 'clients' are actually internal SOAP services communicating ... I'll never have outside clients contacting the SOAP ... > Do you NEED certificates on all of the clients? ... > The most common scenario is to get a web server certificate. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Enterprise CA and RADIUS authentication
    ... RADIUS on Win 2K server - Isn't it? ... ALL I need is to authenticate the wireless clients ONLY. ... > templates and autoenrollment for both user and computer certificates for XP ...
    (microsoft.public.win2000.security)
  • Re: Certificates trouble: CRL not available(?) and "revocation server offline" error
    ... CRLs are published by CAs to the CDP locations ... Clients obtain EFS certificates from EntIssuing CA ...
    (microsoft.public.windows.server.security)