FOLLOW UP - Re: what certificate to buy from Verisign ?
- From: <jason.chen@xxxxxxxxxxxxxxxxx>
- Date: Tue, 20 Sep 2005 12:43:28 -0400
HI Steven,
this is an update on this thread, I just had a call with a Verisign
senior engineer, and he had very strong opinions on using asymetric
encryptions.
first thing he said when I tried to explain to him WSE2 uses asymetric
encryption is 'asymetric encryption is 1000 times slower than symetric
encryption', then he recommended to use HTTPS protocol to protect the data
on the transport level instead of using HTTP and protect the data on the
application level. he also said by protecting data on application level,
it'll be much slower and will be easier for brute force attack.
what I'd like to find out from you is, do you have any performance
matrix on how much performance overhead will be added by using x.509
certificates to encrypt the sign the data comparing to not encrypting and
sign the data?
also, do you have any comment on using HTTPS vs. using HTTP + WSE2
encryption and signing?
thanks,
-Jason
"Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:gGB5JtLvFHA.768@xxxxxxxxxxxxxxxxxxxxxxxx
> You're welcome Jason,
>
> If there're any further things we can help later, please feel free to post
> here.
> Good luck!
>
> Steven Cheng
> Microsoft Online Support
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
> --------------------
> From: <jason.chen@xxxxxxxxxxxxxxxxx>
> References: <Oo3#jyUuFHA.3756@xxxxxxxxxxxxxxxxxxxx>
> <NRnDAzcuFHA.768@xxxxxxxxxxxxxxxxxxxxx>
> <uK1wLCguFHA.596@xxxxxxxxxxxxxxxxxxxx>
> <dlKkV7luFHA.768@xxxxxxxxxxxxxxxxxxxxx>
> <uKVnDInuFHA.3500@xxxxxxxxxxxxxxxxxxxx>
> <gRqUmbouFHA.1080@xxxxxxxxxxxxxxxxxxxxx>
> Subject: Re: what certificate to buy from Verisign ?
> Date: Sun, 18 Sep 2005 16:13:51 -0400
> Lines: 212
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.3790.326
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
> Message-ID: <Oxmu91IvFHA.3452@xxxxxxxxxxxxxxxxxxxx>
> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
> NNTP-Posting-Host: a7cebc03.cst.lightpath.net 167.206.188.3
> Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
> Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.dotnet.framework.webservices.enhancements:4913
> X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
>
> thanks steven for following up, I guess I have to schedule a call with
> verisign to work this out then.
>
> -Jason
>
> "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
> news:gRqUmbouFHA.1080@xxxxxxxxxxxxxxxxxxxxxxxx
> > Hi Jason,
> >
> > Server certificate is used by server service, and is not necessary for
> > client app. For client side, there has Client Authentication
Certificate
> > respectively. In fact, you find a certain windows 2000 or 2003 server
> > machine which can install the Microsoft Certificate Service, so that you
> > can create/send certificate request to it , from which you can see those
> > most popular types of certificates. In addition, professional
Authority
> > like Verisign will have much more types of certificates available, so I
> > still think it better you consult them on your scenario.
> >
> > Thanks,
> >
> > Steven Cheng
> > Microsoft Online Support
> >
> > Get Secure! www.microsoft.com/security
> > (This posting is provided "AS IS", with no warranties, and confers no
> > rights.)
> >
> >
> >
> >
> > --------------------
> > From: <jason.chen@xxxxxxxxxxxxxxxxx>
> > References: <Oo3#jyUuFHA.3756@xxxxxxxxxxxxxxxxxxxx>
> > <NRnDAzcuFHA.768@xxxxxxxxxxxxxxxxxxxxx>
> > <uK1wLCguFHA.596@xxxxxxxxxxxxxxxxxxxx>
> > <dlKkV7luFHA.768@xxxxxxxxxxxxxxxxxxxxx>
> > Subject: Re: what certificate to buy from Verisign ?
> > Date: Thu, 15 Sep 2005 23:52:07 -0400
> > Lines: 146
> > X-Priority: 3
> > X-MSMail-Priority: Normal
> > X-Newsreader: Microsoft Outlook Express 6.00.3790.326
> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
> > Message-ID: <uKVnDInuFHA.3500@xxxxxxxxxxxxxxxxxxxx>
> > Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
> > NNTP-Posting-Host: a7cebc02.cst.lightpath.net 167.206.188.2
> > Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
> > Xref: TK2MSFTNGXA01.phx.gbl
> > microsoft.public.dotnet.framework.webservices.enhancements:4897
> > X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
> >
> > hi Steven,
> > I'd like X509 certificate to be used by both client and server, you
> > mentioned the server side can use a regular SSL certificate, can client
> also
> > use a regular ssl certificate on client side?
> >
> > thanks,
> > -Jason
> >
> > "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
> > news:dlKkV7luFHA.768@xxxxxxxxxxxxxxxxxxxxxxxx
> > > Thanks for your response Jason,
> > >
> > > As for the webservice client, it all depends on your application's
> > security
> > > authetication design. If you server doesn't use some authentication
> schema
> > > which require client certificates(x509 authentication based token
> > > authentication....) or the server dosn't require the client to use a
> > > certain certificate to identitfy clientside, then client app do not
need
> > to
> > > have a own certificate. This is just like when we use SSL without
> > > requiring clientside certificate. Also, since you're using WSE, if
> you
> > > have used x509 certificate token to sign message at both
> > client/serverside,
> > > then, the clientside also must have its own certificate.
> > >
> > > Thanks,
> > >
> > > Steven Cheng
> > > Microsoft Online Support
> > >
> > > Get Secure! www.microsoft.com/security
> > > (This posting is provided "AS IS", with no warranties, and confers no
> > > rights.)
> > >
> > >
> > > --------------------
> > > From: <jason.chen@xxxxxxxxxxxxxxxxx>
> > > References: <Oo3#jyUuFHA.3756@xxxxxxxxxxxxxxxxxxxx>
> > > <NRnDAzcuFHA.768@xxxxxxxxxxxxxxxxxxxxx>
> > > Subject: Re: what certificate to buy from Verisign ?
> > > Date: Thu, 15 Sep 2005 10:19:53 -0400
> > > Lines: 83
> > > X-Priority: 3
> > > X-MSMail-Priority: Normal
> > > X-Newsreader: Microsoft Outlook Express 6.00.3790.326
> > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
> > > Message-ID: <uK1wLCguFHA.596@xxxxxxxxxxxxxxxxxxxx>
> > > Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
> > > NNTP-Posting-Host: a7cebc03.cst.lightpath.net 167.206.188.3
> > > Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
> > > Xref: TK2MSFTNGXA01.phx.gbl
> > > microsoft.public.dotnet.framework.webservices.enhancements:4884
> > > X-Tomcat-NG:
microsoft.public.dotnet.framework.webservices.enhancements
> > >
> > > thanks Steven, I guess the server side can just purchase the normal
> > > webserver certificate, what about the client side who consumes the
> > > webservice? should they also get a normal webserver certificate or
> > something
> > > particular?
> > >
> > > many thanks,
> > > -jason
> > >
> > > "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
> > > news:NRnDAzcuFHA.768@xxxxxxxxxxxxxxxxxxxxxxxx
> > > > Hi Jason,
> > > >
> > > > AS for the Certificate type you mentioned, for your scenario, since
> the
> > > > certificate is mainly used to identitfy your server application and
> > build
> > > a
> > > > secure communication channel between client/server, I think a normal
> web
> > > > server certificate is enough. Of course, there must has some guys
> from
> > > > Verisign who will help you find the proper certificate for yoru
> > > > application.
> > > >
> > > > Thanks,
> > > >
> > > > Steven Cheng
> > > > Microsoft Online Support
> > > >
> > > > Get Secure! www.microsoft.com/security
> > > > (This posting is provided "AS IS", with no warranties, and confers
no
> > > > rights.)
> > > >
> > > >
> > > > --------------------
> > > > From: <jason.chen@xxxxxxxxxxxxxxxxx>
> > > > Subject: what certificate to buy from Verisign ?
> > > > Date: Wed, 14 Sep 2005 12:52:04 -0400
> > > > Lines: 29
> > > > X-Priority: 3
> > > > X-MSMail-Priority: Normal
> > > > X-Newsreader: Microsoft Outlook Express 6.00.3790.326
> > > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
> > > > Message-ID: <Oo3#jyUuFHA.3756@xxxxxxxxxxxxxxxxxxxx>
> > > > Newsgroups:
microsoft.public.dotnet.framework.webservices.enhancements
> > > > NNTP-Posting-Host: a7cebc03.cst.lightpath.net 167.206.188.3
> > > > Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
> > > > Xref: TK2MSFTNGXA01.phx.gbl
> > > > microsoft.public.dotnet.framework.webservices.enhancements:4873
> > > > X-Tomcat-NG:
> microsoft.public.dotnet.framework.webservices.enhancements
> > > >
> > > > Hi, my company plans to use WSE2.0 sp3 to secure the webservice
> > > > communication between us and the client. now that we are looking at
> > > Verisign
> > > > on what exactly to buy but the sales person at Verisign were not
very
> > > > helpful. and MSDN didn't provide any information on what exact
> > certificate
> > > > to buy from Verisign either, all it says is get certificate from a
> > trusted
> > > > CA, for example: Verisign.
> > > >
> > > > could someone point out which product to buy from verisign?
> > > >
> > > > some information on what I found so far:
> > > >
> > > > 1. after searched around, seems a lot of people are complaining
> Verisign
> > > > sales have no idea what to buy to encrypt and sign web services.
> > > >
> > > > 2. some people seem got regular SSL certificates working to encrypt
> and
> > > > sign web service request, but will there be performance issues? is
it
> > > > recommened by Microsoft that an existing SSL certificate can be used
> for
> > > > encrypt and sign webservice requests?
> > > >
> > > > 3. some people in various newsgroups are talking about using the
> Digital
> > > ID
> > > > product from Verisign to encrypt and sign webservice requests,
> > > >
> > >
> >
>
(http://www.verisign.com/products-services/security-services/pki/pki-applica
> > > > tion/email-digital-id/index.html), this is a product from Verisign
to
> > > secure
> > > > emails. is this correct to use Digital ID? this thing is much
cheaper
> > than
> > > > regular SSL certificates, only $19.99/Year
> > > >
> > > > Please help, thanks a lot.
> > > >
> > > >
> > > >
> > >
> > >
> > >
> >
> >
> >
>
>
>
.
- Follow-Ups:
- RE: FOLLOW UP - Re: what certificate to buy from Verisign ?
- From: Steven Cheng[MSFT]
- Re: FOLLOW UP - Re: what certificate to buy from Verisign ?
- From: William Stacey [MVP]
- RE: FOLLOW UP - Re: what certificate to buy from Verisign ?
- References:
- what certificate to buy from Verisign ?
- From: jason.chen
- RE: what certificate to buy from Verisign ?
- From: Steven Cheng[MSFT]
- Re: what certificate to buy from Verisign ?
- From: jason.chen
- Re: what certificate to buy from Verisign ?
- From: Steven Cheng[MSFT]
- Re: what certificate to buy from Verisign ?
- From: jason.chen
- Re: what certificate to buy from Verisign ?
- From: Steven Cheng[MSFT]
- Re: what certificate to buy from Verisign ?
- From: jason.chen
- Re: what certificate to buy from Verisign ?
- From: Steven Cheng[MSFT]
- what certificate to buy from Verisign ?
- Prev by Date: Re: how can we restrict what certificate WSE will use?
- Next by Date: WS-Security-Extension Declaration with WSE2
- Previous by thread: Re: what certificate to buy from Verisign ?
- Next by thread: Re: FOLLOW UP - Re: what certificate to buy from Verisign ?
- Index(es):
Relevant Pages
|
Loading
