Re: WS Security issues

I guess that I have a problem no matter whether I choose X.509 or SSL. I
still have to redistribute a unique certificate per customer and install it
on the users machine?

I can't generate the certificates when I install my product?

Or do I have to obtain it from VeriSign or another similar authorithy
everytime I sell a package?

Henrik


"Dilip Krishnan" <"dilip.krishnan AT apdiya DOT com"> wrote in message
news:e7biaGvZFHA.2128@xxxxxxxxxxxxxxxxxxxxxxx
> Yes you do have to redistribute the x509 if you choose to use it. With SCT
> you dont need the current username token... as long as you have the
> context token and send it with each request the service will assume
> authentication.
>
> Henrik Skak Pedersen wrote:
>> Thank you for your reply.
>>
>> But dont I then have to redistribute a new X509 certificate per customer?
>>
>> Do you know how I can send the current UsernameToken?
>>
>> Thanks,
>> Henrik
>>
>> "Dilip Krishnan" <"dilip.krishnan AT apdiya DOT com"> wrote in message
>> news:eWWa0LuZFHA.3712@xxxxxxxxxxxxxxxxxxxxxxx
>>
>>>+1,
>>>If you're looking to sign and encrypt using user name token, keep in mind
>>>the service will not be interoperable with java or other technologies.
>>>
>>>I guess your best option is to use username token for authentication and
>>>authorization. And use X509 certs for signing and encrypting. This is a
>>>little slower that ssl but from a purist standpoint you are now transport
>>>independent!
>>>
>>>Henrik Skak Pedersen wrote:
>>>
>>>>Hi Yedu,
>>>>
>>>>Thank you very much for your reply.
>>>>
>>>>Would you use UsernameTokens for signing, encrypting and authentication?
>>>>How can I send the current UsernameToken?
>>>>How are you deploying "SSL settings"?
>>>>
>>>>Regards
>>>>
>>>>Henrik
>>>>
>>>>"Yedu" <Yedu@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>>>news:C7E4560D-F7DF-43A1-9799-97BF2A2E48FC@xxxxxxxxxxxxxxxx
>>>>
>>>>
>>>>>We have a similar setup that you described.
>>>>>We are sending the Username/password in the userName token, the
>>>>>Webservice
>>>>>server machine needs to be in the same domain as of the AD, if an
>>>>>invalid
>>>>>username/password is sent and it cannot be authenticated it will throw
>>>>>a
>>>>>SoapFault. The username/password is sent as plaintext in the
>>>>>usernameToken.
>>>>>
>>>>>We are using SSL for making sure that the channel is secure.
>>>>>
>>>>>If you plan to implement the X.509 for encryption my guess is that it
>>>>>will
>>>>>be drag on the performance.
>>>>>"Henrik Skak Pedersen" wrote:
>>>>>
>>>>>
>>>>>
>>>>>>Hello,
>>>>>>
>>>>>>I am working on a product when we are shipping a web service and a
>>>>>>windows
>>>>>>client to several end-customers. The web service should be able to run
>>>>>>either on the inside or on the outside of their firewall. The same CD
>>>>>>are
>>>>>>being sent to all customers, so it is not possible to modify anything
>>>>>>from
>>>>>>customer to customer. The software should run directly after
>>>>>>installation,
>>>>>>without obtaining certificates or anothing else.The clients are
>>>>>>running on
>>>>>>Windows 2000 server and client, Windows XP and Windows Server 2003.
>>>>>>
>>>>>>I have two demands:
>>>>>>
>>>>>>1) All WS requests from the client needs to be authorized by AD. It
>>>>>>should
>>>>>>be possible to log in using the current credentials or by specifying
>>>>>>an user
>>>>>>name/password pair.
>>>>>>
>>>>>>2) All WS requests from the client needs to be encrypted and signed
>>>>>>
>>>>>>I have looked into X509SecurityToken, KerberosToken and UsernameToken.
>>>>>>But I
>>>>>>just can't see how I solve this the the best way.
>>>>>>
>>>>>>If I use X.509 for signing and encryption, then I guess that I have to
>>>>>>distribute the same certificate to all customers, which I guess not i
>>>>>>a
>>>>>>smart idea.
>>>>>>I have read that the KerberosToken does not work for Windows 2000.
>>>>>>
>>>>>>Any recommendations?
>>>>>>
>>>>>>Regards
>>>>>>
>>>>>>Henrik Skak Pedersen
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>>>
>>>--
>>>HTH
>>>Regards,
>>>Dilip Krishnan
>>>MCAD, MCSD.net
>>>dilip.krishnan AT apdiya DOT com
>>
>>
>>
>
> --
> HTH
> Regards,
> Dilip Krishnan
> MCAD, MCSD.net
> dilip.krishnan AT apdiya DOT com


.

Relevant Pages

  • Re: SSL Certificate Chaining
    ... on a customer machine -- the customer will then connect to that ... server from many different clients on their network. ... currently we install a self-signed cert when we install the server, ... We'd rather install a certificate that has some implicit trust built in, ...
    (comp.security.misc)
  • Re: Windows Update repeats
    ... You cannot install some updates or programs ... to a Windows component, install a service pack for Windows or for a Windows ... The Microsoft digital signature affirms that software has been tested with ... Publishers certificate store. ...
    (microsoft.public.windowsupdate)
  • RE: updates after format
    ... if the Microsoft Server is down. ... software you are installing has not passed Windows Logo testing verify its ... When you try to download an ActiveX control, install an update to Windows ... and you do not have the appropriate certificate in your Trusted Publishers ...
    (microsoft.public.windows.mediacenter)
  • Re: ?Expired Security Certif for MS Update
    ... MBSA should run fine on a new install. ... faith in the downloads I have, that used the expired certificate to get ... At the risk of sounding like an alien abductee, this security invasion ... Microsoft and signed by a CA that your computer trusts I would not worry ...
    (microsoft.public.windowsxp.security_admin)
  • RE: CA and Windows mobile 5.0
    ... certificate or Third party certificate? ... How did you install CA on your mobile device? ... If your Windows SBS Server is running ISA Server, ...
    (microsoft.public.windows.server.sbs)