RE: FOLLOW UP - Re: what certificate to buy from Verisign ?

{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Hi Jason,
\par
\par Thanks for your followup.
\par The verisign guy's suggestion is reasonable from security perspective since Asymmetric encryption is really more secure, but also more performance cost. Generally, we'll use asymmetric encrytion to transfer sessionkey and then use that sessionkey to do symmetric encryption for all the sequential commuincation. That's also what SLL/TLS does.
\par
\par For HTTPS/SSL, of course I'd recommend you consider it if SSL/TLS is really possible for your scenario. The SSL/TLS just provide a secuire point to point channel which ensure confidential, integrity .... And though WSE also priovde these features, the SSL/TLS's implementation is surely more robust and sophisticated. And the WSE's strong point is that it provide more flexible and wide applicaiton scenario, which is not limited to webserver scenario, (generally SSL/TLS require our server service be hosted in a sophisticated webserver like IIS/ Apache or other applicaiton server). While WSE application can be hosted in any .NET application.
\par
\par Thanks,
\par
\par Steven Cheng
\par Microsoft Online Support
\par
\par Get Secure! www.microsoft.com/security
\par (This posting is provided "AS IS", with no warranties, and confers no rights.)
\par \pard\li720 --------------------
\par From: <jason.chen@xxxxxxxxxxxxxxxxx>
\par References: <Oo3#jyUuFHA.3756@xxxxxxxxxxxxxxxxxxxx> <NRnDAzcuFHA.768@xxxxxxxxxxxxxxxxxxxxx> <uK1wLCguFHA.596@xxxxxxxxxxxxxxxxxxxx> <dlKkV7luFHA.768@xxxxxxxxxxxxxxxxxxxxx> <uKVnDInuFHA.3500@xxxxxxxxxxxxxxxxxxxx> <gRqUmbouFHA.1080@xxxxxxxxxxxxxxxxxxxxx> <Oxmu91IvFHA.3452@xxxxxxxxxxxxxxxxxxxx> <gGB5JtLvFHA.768@xxxxxxxxxxxxxxxxxxxxx>
\par Subject: FOLLOW UP - Re: what certificate to buy from Verisign ?
\par Date: Tue, 20 Sep 2005 12:43:28 -0400
\par Lines: 284
\par X-Priority: 3
\par X-MSMail-Priority: Normal
\par X-Newsreader: Microsoft Outlook Express 6.00.3790.326
\par X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
\par Message-ID: <eqSVtJgvFHA.2076@xxxxxxxxxxxxxxxxxxxx>
\par Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par NNTP-Posting-Host: a7cebc03.cst.lightpath.net 167.206.188.3
\par Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
\par Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.dotnet.framework.webservices.enhancements:4929
\par X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
\par
\par HI Steven,
\par this is an update on this thread, I just had a call with a Verisign
\par senior engineer, and he had very strong opinions on using asymetric
\par encryptions.
\par first thing he said when I tried to explain to him WSE2 uses asymetric
\par encryption is 'asymetric encryption is 1000 times slower than symetric
\par encryption', then he recommended to use HTTPS protocol to protect the data
\par on the transport level instead of using HTTP and protect the data on the
\par application level. he also said by protecting data on application level,
\par it'll be much slower and will be easier for brute force attack.
\par what I'd like to find out from you is, do you have any performance
\par matrix on how much performance overhead will be added by using x.509
\par certificates to encrypt the sign the data comparing to not encrypting and
\par sign the data?
\par also, do you have any comment on using HTTPS vs. using HTTP + WSE2
\par encryption and signing?
\par
\par thanks,
\par -Jason
\par
\par "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
\par news:gGB5JtLvFHA.768@xxxxxxxxxxxxxxxxxxxxxxxx
\par > You're welcome Jason,
\par >
\par > If there're any further things we can help later, please feel free to post
\par > here.
\par > Good luck!
\par >
\par > Steven Cheng
\par > Microsoft Online Support
\par >
\par > Get Secure! www.microsoft.com/security
\par > (This posting is provided "AS IS", with no warranties, and confers no
\par > rights.)
\par > --------------------
\par > From: <jason.chen@xxxxxxxxxxxxxxxxx>
\par > References: <Oo3#jyUuFHA.3756@xxxxxxxxxxxxxxxxxxxx>
\par > <NRnDAzcuFHA.768@xxxxxxxxxxxxxxxxxxxxx>
\par > <uK1wLCguFHA.596@xxxxxxxxxxxxxxxxxxxx>
\par > <dlKkV7luFHA.768@xxxxxxxxxxxxxxxxxxxxx>
\par > <uKVnDInuFHA.3500@xxxxxxxxxxxxxxxxxxxx>
\par > <gRqUmbouFHA.1080@xxxxxxxxxxxxxxxxxxxxx>
\par > Subject: Re: what certificate to buy from Verisign ?
\par > Date: Sun, 18 Sep 2005 16:13:51 -0400
\par > Lines: 212
\par > X-Priority: 3
\par > X-MSMail-Priority: Normal
\par > X-Newsreader: Microsoft Outlook Express 6.00.3790.326
\par > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
\par > Message-ID: <Oxmu91IvFHA.3452@xxxxxxxxxxxxxxxxxxxx>
\par > Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par > NNTP-Posting-Host: a7cebc03.cst.lightpath.net 167.206.188.3
\par > Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
\par > Xref: TK2MSFTNGXA01.phx.gbl
\par > microsoft.public.dotnet.framework.webservices.enhancements:4913
\par > X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
\par >
\par > thanks steven for following up, I guess I have to schedule a call with
\par > verisign to work this out then.
\par >
\par > -Jason
\par >
\par > "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
\par > news:gRqUmbouFHA.1080@xxxxxxxxxxxxxxxxxxxxxxxx
\par > > Hi Jason,
\par > >
\par > > Server certificate is used by server service, and is not necessary for
\par > > client app. For client side, there has Client Authentication
\par Certificate
\par > > respectively. In fact, you find a certain windows 2000 or 2003 server
\par > > machine which can install the Microsoft Certificate Service, so that you
\par > > can create/send certificate request to it , from which you can see those
\par > > most popular types of certificates. In addition, professional
\par Authority
\par > > like Verisign will have much more types of certificates available, so I
\par > > still think it better you consult them on your scenario.
\par > >
\par > > Thanks,
\par > >
\par > > Steven Cheng
\par > > Microsoft Online Support
\par > >
\par > > Get Secure! www.microsoft.com/security
\par > > (This posting is provided "AS IS", with no warranties, and confers no
\par > > rights.)
\par > >
\par > >
\par > >
\par > >
\par > > --------------------
\par > > From: <jason.chen@xxxxxxxxxxxxxxxxx>
\par > > References: <Oo3#jyUuFHA.3756@xxxxxxxxxxxxxxxxxxxx>
\par > > <NRnDAzcuFHA.768@xxxxxxxxxxxxxxxxxxxxx>
\par > > <uK1wLCguFHA.596@xxxxxxxxxxxxxxxxxxxx>
\par > > <dlKkV7luFHA.768@xxxxxxxxxxxxxxxxxxxxx>
\par > > Subject: Re: what certificate to buy from Verisign ?
\par > > Date: Thu, 15 Sep 2005 23:52:07 -0400
\par > > Lines: 146
\par > > X-Priority: 3
\par > > X-MSMail-Priority: Normal
\par > > X-Newsreader: Microsoft Outlook Express 6.00.3790.326
\par > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
\par > > Message-ID: <uKVnDInuFHA.3500@xxxxxxxxxxxxxxxxxxxx>
\par > > Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par > > NNTP-Posting-Host: a7cebc02.cst.lightpath.net 167.206.188.2
\par > > Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
\par > > Xref: TK2MSFTNGXA01.phx.gbl
\par > > microsoft.public.dotnet.framework.webservices.enhancements:4897
\par > > X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
\par > >
\par > > hi Steven,
\par > > I'd like X509 certificate to be used by both client and server, you
\par > > mentioned the server side can use a regular SSL certificate, can client
\par > also
\par > > use a regular ssl certificate on client side?
\par > >
\par > > thanks,
\par > > -Jason
\par > >
\par > > "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
\par > > news:dlKkV7luFHA.768@xxxxxxxxxxxxxxxxxxxxxxxx
\par > > > Thanks for your response Jason,
\par > > >
\par > > > As for the webservice client, it all depends on your application's
\par > > security
\par > > > authetication design. If you server doesn't use some authentication
\par > schema
\par > > > which require client certificates(x509 authentication based token
\par > > > authentication....) or the server dosn't require the client to use a
\par > > > certain certificate to identitfy clientside, then client app do not
\par need
\par > > to
\par > > > have a own certificate. This is just like when we use SSL without
\par > > > requiring clientside certificate. Also, since you're using WSE, if
\par > you
\par > > > have used x509 certificate token to sign message at both
\par > > client/serverside,
\par > > > then, the clientside also must have its own certificate.
\par > > >
\par > > > Thanks,
\par > > >
\par > > > Steven Cheng
\par > > > Microsoft Online Support
\par > > >
\par > > > Get Secure! www.microsoft.com/security
\par > > > (This posting is provided "AS IS", with no warranties, and confers no
\par > > > rights.)
\par > > >
\par > > >
\par > > > --------------------
\par > > > From: <jason.chen@xxxxxxxxxxxxxxxxx>
\par > > > References: <Oo3#jyUuFHA.3756@xxxxxxxxxxxxxxxxxxxx>
\par > > > <NRnDAzcuFHA.768@xxxxxxxxxxxxxxxxxxxxx>
\par > > > Subject: Re: what certificate to buy from Verisign ?
\par > > > Date: Thu, 15 Sep 2005 10:19:53 -0400
\par > > > Lines: 83
\par > > > X-Priority: 3
\par > > > X-MSMail-Priority: Normal
\par > > > X-Newsreader: Microsoft Outlook Express 6.00.3790.326
\par > > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
\par > > > Message-ID: <uK1wLCguFHA.596@xxxxxxxxxxxxxxxxxxxx>
\par > > > Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par > > > NNTP-Posting-Host: a7cebc03.cst.lightpath.net 167.206.188.3
\par > > > Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
\par > > > Xref: TK2MSFTNGXA01.phx.gbl
\par > > > microsoft.public.dotnet.framework.webservices.enhancements:4884
\par > > > X-Tomcat-NG:
\par microsoft.public.dotnet.framework.webservices.enhancements
\par > > >
\par > > > thanks Steven, I guess the server side can just purchase the normal
\par > > > webserver certificate, what about the client side who consumes the
\par > > > webservice? should they also get a normal webserver certificate or
\par > > something
\par > > > particular?
\par > > >
\par > > > many thanks,
\par > > > -jason
\par > > >
\par > > > "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
\par > > > news:NRnDAzcuFHA.768@xxxxxxxxxxxxxxxxxxxxxxxx
\par > > > > Hi Jason,
\par > > > >
\par > > > > AS for the Certificate type you mentioned, for your scenario, since
\par > the
\par > > > > certificate is mainly used to identitfy your server application and
\par > > build
\par > > > a
\par > > > > secure communication channel between client/server, I think a normal
\par > web
\par > > > > server certificate is enough. Of course, there must has some guys
\par > from
\par > > > > Verisign who will help you find the proper certificate for yoru
\par > > > > application.
\par > > > >
\par > > > > Thanks,
\par > > > >
\par > > > > Steven Cheng
\par > > > > Microsoft Online Support
\par > > > >
\par > > > > Get Secure! www.microsoft.com/security
\par > > > > (This posting is provided "AS IS", with no warranties, and confers
\par no
\par > > > > rights.)
\par > > > >
\par > > > >
\par > > > > --------------------
\par > > > > From: <jason.chen@xxxxxxxxxxxxxxxxx>
\par > > > > Subject: what certificate to buy from Verisign ?
\par > > > > Date: Wed, 14 Sep 2005 12:52:04 -0400
\par > > > > Lines: 29
\par > > > > X-Priority: 3
\par > > > > X-MSMail-Priority: Normal
\par > > > > X-Newsreader: Microsoft Outlook Express 6.00.3790.326
\par > > > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
\par > > > > Message-ID: <Oo3#jyUuFHA.3756@xxxxxxxxxxxxxxxxxxxx>
\par > > > > Newsgroups:
\par microsoft.public.dotnet.framework.webservices.enhancements
\par > > > > NNTP-Posting-Host: a7cebc03.cst.lightpath.net 167.206.188.3
\par > > > > Path:
\par TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
\par > > > > Xref: TK2MSFTNGXA01.phx.gbl
\par > > > > microsoft.public.dotnet.framework.webservices.enhancements:4873
\par > > > > X-Tomcat-NG:
\par > microsoft.public.dotnet.framework.webservices.enhancements
\par > > > >
\par > > > > Hi, my company plans to use WSE2.0 sp3 to secure the webservice
\par > > > > communication between us and the client. now that we are looking at
\par > > > Verisign
\par > > > > on what exactly to buy but the sales person at Verisign were not
\par very
\par > > > > helpful. and MSDN didn't provide any information on what exact
\par > > certificate
\par > > > > to buy from Verisign either, all it says is get certificate from a
\par > > trusted
\par > > > > CA, for example: Verisign.
\par > > > >
\par > > > > could someone point out which product to buy from verisign?
\par > > > >
\par > > > > some information on what I found so far:
\par > > > >
\par > > > > 1. after searched around, seems a lot of people are complaining
\par > Verisign
\par > > > > sales have no idea what to buy to encrypt and sign web services.
\par > > > >
\par > > > > 2. some people seem got regular SSL certificates working to encrypt
\par > and
\par > > > > sign web service request, but will there be performance issues? is
\par it
\par > > > > recommened by Microsoft that an existing SSL certificate can be used
\par > for
\par > > > > encrypt and sign webservice requests?
\par > > > >
\par > > > > 3. some people in various newsgroups are talking about using the
\par > Digital
\par > > > ID
\par > > > > product from Verisign to encrypt and sign webservice requests,
\par > > > >
\par > > >
\par > >
\par >
\par (http://www.verisign.com/products-services/security-services/pki/pki-applica
\par > > > > tion/email-digital-id/index.html), this is a product from Verisign
\par to
\par > > > secure
\par > > > > emails. is this correct to use Digital ID? this thing is much
\par cheaper
\par > > than
\par > > > > regular SSL certificates, only $19.99/Year
\par > > > >
\par > > > > Please help, thanks a lot.
\par > > > >
\par > > > >
\par > > > >
\par > > >
\par > > >
\par > > >
\par > >
\par > >
\par > >
\par >
\par >
\par >
\par
\par
\par \pard
\par
\par }