Re: Storage of Client Certificates

Tech-Archive recommends: Fix windows errors by optimizing your registry

I think so, I've tried that also, successfully. basically client will send
their public key alone with the request, so you read it out from
SoapContext, and use it to encrypt the response. the downside of this is,
any user that has your public key will be able to consume your webservice.
if you think about it, your webservice is no longer 'secure', it's like
opening to public now. if you do not restrict what users can access your
webservice, then why go through the hassels protecting a public webservice
at the first place?

I think this brings up another question I have, what is the best practice in
order to restricted your webservice accessible to a set of known users? if
you have a list of public keys from your clients, how do you figure out
which public key to use when your webservice received a request? best
approach I can think of is maintaining a list of trusted public key
identifiers in your config file, and make sure the public key in the request
is among one of them. how do you guys think?

-jason

"RobertP" <RobertP@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:60B28679-3E0C-44B5-9260-2B7EA919F697@xxxxxxxxxxxxxxxx
> To send an encrypted response back to the client, I would need their
public
> key.
>
> I guess I would not have to store their public key if they send the public
> key to me with their request?
>
> Thank You,
>
> Robert
>
> "Pablo Cibraro" wrote:
>
> > No, only if you identitfy your clients through public keys.
> > In this case, maybe, using a UsernameToken is a better idea. You can use
a
> > UsernameToken to identify clients and a X509 certificate to protect the
> > messages.
> > With this solution, your clients must have a public key and you only
need a
> > private key in the server's certificate store.
> >
> > Regards,
> > Pablo Cibraro
> > www.lagash.com
> >
> > "RobertP" <RobertP@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > news:1A8ABB9F-00A4-453A-A156-7D2AFAED2E6E@xxxxxxxxxxxxxxxx
> > > If I have 5,000 users of my web service, I need to have 5,000 public
keys
> > > in
> > > my server's Certificate Store?
> >
> >
> >


.

Relevant Pages

  • RE: Cannot decrypt files encrypted using Crypto API on a different
    ... We have a desktop application which is used by many clients. ... send it over to the clients (we don't know anything about their public key). ... from step 2, hExpKey is NULL, blob type is PUBLICKEYBLOB) and send this blob ... encrypt your data with this key ...
    (microsoft.public.platformsdk.security)
  • Is this Possible?
    ... clients including new applications that as of yet do not have any web ... One of our concerns using HTTPS to secure our transactions is ... gets the public key of the server's certificate to encrypt the data ... The server then uses its private key to decrypt ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Distributed Public Key
    ... > enviroment will contain multiple subnets all with access to NIS. ... > I would like to do is store the public key file for a machine in some ... > should be able to use NIS to distribute this data to the clients using ... How do you "install" your machines? ...
    (comp.security.ssh)
  • Re: Storage of Client Certificates
    ... their public key alone with the request, so you read it out from SoapContext, and use it to encrypt the response. ... any user that has your public key will be able to consume your webservice. ... your clients must have a public key and you only ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Storage of Client Certificates
    ... So you end up with a private Session key on both ... > I guess I would not have to store their public key if they send the public ... only if you identitfy your clients through public keys. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)