Re: Commercial Certificate

From: "Alex Trebek" <trebek@xxxxxxxxxxxxxx>
Date: Tue, 2 Aug 2005 09:52:50 -0400

Julie,

In my case, the 'clients' are actually internal SOAP services communicating
with one another behind the firewall in a SOA architecture. Due to the
sensitive nature of the information being passed (credit info, ssns, etc..)
the machines have to prove they have the rights to contact the service
(other server) and the entire comm must be encrypted. Govt restrictions
require that we don't pass unencrypted info. Outside clients will contact a
http web service (running under ssl) which will then pass their request to
appropriate service for processing (some sync and some async depending on
the nature of the request. Although there are existing Windows secure comm
protocols that can handle machine-to-machine, not all servers are/will
remain Win. In my case, I'll never have outside clients contacting the SOAP
services directly. They will always pass thru the http web service as a
proxy to a tcp service.

Thanks for you help,

Alex
"Julie Lerman" <jlermanATNOSPAMPLEASEthedatafarm.com> wrote in message
news:uskaHHulFHA.3380@xxxxxxxxxxxxxxxxxxxxxxx
> Guys-
> Do you NEED certificates on all of the clients?
> The most common scenario is to get a web server certificate. This confused
> me at first because there is "no such thing" at verisign/thawte etc. They
> are SSL Certificates!!
>
> oops there's lightning!!!
> gotta shut down
> more later
> julie lerman
> "Alex Trebek" <trebek@xxxxxxxxxxxxxx> wrote in message
> news:b22b9$42e690f2$d844140d$3594@xxxxxxxxxxx
>> Excellent!! -- Thanks!!!
>>
>> Alex
>>
>>
>> "Cormac" <Cormac@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:510627EC-8DE6-4662-8204-FEFAF5D20539@xxxxxxxxxxxxxxxx
>>> Hi Alex/Sam
>>>
>>> I was in a similar situation since I didn't want to even use X509
>>> certificates tried to find a resolution to using X509 certificates since
>>> you
>>> have to install them on all client machines, if you get them from a
>>> certificate authority they cost a packet. If you create your own then
>>> you
>>> have to create your own certificate authority and issue them through one
>>> of
>>> the Microsoft servers (forgot the name). Until I found William Staceys
>>> (Cool
>>> Guy) blog.
>>>
>>> http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!268.entry
>>>
>>> He was mad enough to come up with a solution that uses Security Context
>>> Tokens or Secure Conversation as many people call it that allows the
>>> developer to develop a Security Context Token Service that issues
>>> Security
>>> Context Tokens to clients and encrypt and sign each SOAP message without
>>> using X509 certificates.
>>>
>>> He uses strong naming on each assembley to create a Public and Private
>>> key
>>> just like in X509 certificates to create a Symmetric key to be used by
>>> both
>>> endpoints.
>>>
>>> I have implemented it with WSE 2.0 SP 3 and am upgrading it to Beta 2, I
>>> would strongly recommend it instead of using X509 certificates why
>>> through
>>> money and alot of frustation away on X509 certificates when this is free
>>> and
>>> better in my humble opionon.
>>>
>>> Cormac
>>>
>>> "Alex Trebek" wrote:
>>>
>>>> If anyone has some insight here, I'd appreciate it as well.. Versign
>>>> was not
>>>> much help by phone either. Their own certificate issuing service
>>>> (there are
>>>> many links to it and a triar offer on their site) generates
>>>> certificates
>>>> that work fine (from my trials with their service) but I don't think
>>>> we'll
>>>> have the budget for that so I am also in the position of the OP.
>>>>
>>>> Thanking anyone who might be able to help,
>>>>
>>>> Alex
>>>> "Sam" <bytecode@xxxxxxxxxxxx> wrote in message
>>>> news:%23yuaaWakFHA.2852@xxxxxxxxxxxxxxxxxxxxxxx
>>>> > Has anyone used WSE with a commercially issued certificate from
>>>> > a CA ?
>>>> >
>>>> > Where do I get a CA X.509 cert from.. couldnt find any link on
>>>> > Verisign's site.
>>>> >
>>>> > Thanks
>>>> > /s
>>>>
>>>>
>>>>
>>
>>
>
>

.

References:
- Re: Commercial Certificate
  - From: Julie Lerman

Prev by Date: Re: Using rsa-sha1 for digital signatures
Next by Date: Re: How to use WS-Addressing of WSE2.0
Previous by thread: Re: Commercial Certificate
Next by thread: Re: custom authentication with UsernameToken
Index(es):
- Date
- Thread

Relevant Pages

Re: Certificate Services - What is it?
... So for uncontrolled crowd e.g. clients it makes sense to use a commercial CA ... Two thing to be awaare of: hand-made certificates offer exactly the same ... > authenticate the server to the user and to authenticate the user to the ...
(microsoft.public.security)
Re: Enterprise CA and RADIUS authentication
... RADIUS on Win 2K server - Isn't it? ... ALL I need is to authenticate the wireless clients ONLY. ... > templates and autoenrollment for both user and computer certificates for XP ...
(microsoft.public.win2000.security)
Re: Using Certificates for 802.1x and VPN accecss
... The cert on the IAS server must contain the server authentication EKU and ... The machine certificates can by provisioned using auto-enrolment. ... login script that will provision the certs. ... How do I distribute the certificate to my clients? ...
(microsoft.public.security)
Re: message encryption
... To answer your question, On why its implicit in nature, take the example of transport dependent message integrity here the certificate is assumed to be issued to the server of the same name as the hostname of the endpoint you're hitting. ... The clients are on the intranet. ... refering to public key you are using PKI (X509 ... certificates on the server using the MMC plug-in for certificates. ...
(microsoft.public.dotnet.framework.webservices.enhancements)
need stunnel docs pointer
... The basic, original problem was this: 1 server, N clients. ... stunnel looks like a quick, ... Is every client going to need a distinct set of certificates? ...
(comp.unix.solaris)