Re: FOLLOW UP - Re: what certificate to buy from Verisign ?
- From: <jason.chen@xxxxxxxxxxxxxxxxx>
- Date: Wed, 21 Sep 2005 12:58:55 -0400
Hi Steven,
thanks for getting back to me. SSL is possible in my scenario, but I
have some doubts about using SSL in a server to server scenario, let me
explain:
in a typical scenario of Browser talking to server through SSL, a SSL
handshake is done, and a session key is established, session key is
transferred back to browser from server. and browser can use the generated
session key to send request to the server as long as the browser remain
open. if browser closes down, session will be lost, if new browser instance
opens, new SSL handshake have to be done, new session key will be generated
and transferred back to browser.
in a sccenario of server talking to server through SSL, SSL handshake will
be done when server tries to send request to the other server through https.
session key will be transferred back, and as long as the connection not
closed down, same session key will be used. the catch here is in most server
to server scenario, I think connections have to be closed once the request
is done. or in this scenario, should we put the opened https connection into
a connection pool? I think I'm lost in this. also, will the session key ever
expire?
thanks,
-jason
"Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:M10VK0ovFHA.580@xxxxxxxxxxxxxxxxxxxxxxxx
> Hi Jason,
>
> Thanks for your followup.
> The verisign guy's suggestion is reasonable from security perspective
since
> Asymmetric encryption is really more secure, but also more performance
> cost. Generally, we'll use asymmetric encrytion to transfer sessionkey
> and then use that sessionkey to do symmetric encryption for all the
> sequential commuincation. That's also what SLL/TLS does.
>
> For HTTPS/SSL, of course I'd recommend you consider it if SSL/TLS is
really
> possible for your scenario. The SSL/TLS just provide a secuire point to
> point channel which ensure confidential, integrity .... And though WSE
> also priovde these features, the SSL/TLS's implementation is surely more
> robust and sophisticated. And the WSE's strong point is that it provide
> more flexible and wide applicaiton scenario, which is not limited to
> webserver scenario, (generally SSL/TLS require our server service be
hosted
> in a sophisticated webserver like IIS/ Apache or other applicaiton
> server). While WSE application can be hosted in any .NET application.
>
> Thanks,
>
> Steven Cheng
> Microsoft Online Support
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
> --------------------
> From: <jason.chen@xxxxxxxxxxxxxxxxx>
> References: <Oo3#jyUuFHA.3756@xxxxxxxxxxxxxxxxxxxx>
> <NRnDAzcuFHA.768@xxxxxxxxxxxxxxxxxxxxx>
> <uK1wLCguFHA.596@xxxxxxxxxxxxxxxxxxxx>
> <dlKkV7luFHA.768@xxxxxxxxxxxxxxxxxxxxx>
> <uKVnDInuFHA.3500@xxxxxxxxxxxxxxxxxxxx>
> <gRqUmbouFHA.1080@xxxxxxxxxxxxxxxxxxxxx>
> <Oxmu91IvFHA.3452@xxxxxxxxxxxxxxxxxxxx>
> <gGB5JtLvFHA.768@xxxxxxxxxxxxxxxxxxxxx>
> Subject: FOLLOW UP - Re: what certificate to buy from Verisign ?
> Date: Tue, 20 Sep 2005 12:43:28 -0400
> Lines: 284
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.3790.326
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
> Message-ID: <eqSVtJgvFHA.2076@xxxxxxxxxxxxxxxxxxxx>
> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
> NNTP-Posting-Host: a7cebc03.cst.lightpath.net 167.206.188.3
> Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
> Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.dotnet.framework.webservices.enhancements:4929
> X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
>
> HI Steven,
> this is an update on this thread, I just had a call with a Verisign
> senior engineer, and he had very strong opinions on using asymetric
> encryptions.
> first thing he said when I tried to explain to him WSE2 uses asymetric
> encryption is 'asymetric encryption is 1000 times slower than symetric
> encryption', then he recommended to use HTTPS protocol to protect the data
> on the transport level instead of using HTTP and protect the data on the
> application level. he also said by protecting data on application level,
> it'll be much slower and will be easier for brute force attack.
> what I'd like to find out from you is, do you have any performance
> matrix on how much performance overhead will be added by using x.509
> certificates to encrypt the sign the data comparing to not encrypting and
> sign the data?
> also, do you have any comment on using HTTPS vs. using HTTP + WSE2
> encryption and signing?
>
> thanks,
> -Jason
>
> "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
> news:gGB5JtLvFHA.768@xxxxxxxxxxxxxxxxxxxxxxxx
> > You're welcome Jason,
> >
> > If there're any further things we can help later, please feel free to
post
> > here.
> > Good luck!
> >
> > Steven Cheng
> > Microsoft Online Support
> >
> > Get Secure! www.microsoft.com/security
> > (This posting is provided "AS IS", with no warranties, and confers no
> > rights.)
> > --------------------
> > From: <jason.chen@xxxxxxxxxxxxxxxxx>
> > References: <Oo3#jyUuFHA.3756@xxxxxxxxxxxxxxxxxxxx>
> > <NRnDAzcuFHA.768@xxxxxxxxxxxxxxxxxxxxx>
> > <uK1wLCguFHA.596@xxxxxxxxxxxxxxxxxxxx>
> > <dlKkV7luFHA.768@xxxxxxxxxxxxxxxxxxxxx>
> > <uKVnDInuFHA.3500@xxxxxxxxxxxxxxxxxxxx>
> > <gRqUmbouFHA.1080@xxxxxxxxxxxxxxxxxxxxx>
> > Subject: Re: what certificate to buy from Verisign ?
> > Date: Sun, 18 Sep 2005 16:13:51 -0400
> > Lines: 212
> > X-Priority: 3
> > X-MSMail-Priority: Normal
> > X-Newsreader: Microsoft Outlook Express 6.00.3790.326
> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
> > Message-ID: <Oxmu91IvFHA.3452@xxxxxxxxxxxxxxxxxxxx>
> > Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
> > NNTP-Posting-Host: a7cebc03.cst.lightpath.net 167.206.188.3
> > Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
> > Xref: TK2MSFTNGXA01.phx.gbl
> > microsoft.public.dotnet.framework.webservices.enhancements:4913
> > X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
> >
> > thanks steven for following up, I guess I have to schedule a call with
> > verisign to work this out then.
> >
> > -Jason
> >
> > "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
> > news:gRqUmbouFHA.1080@xxxxxxxxxxxxxxxxxxxxxxxx
> > > Hi Jason,
> > >
> > > Server certificate is used by server service, and is not necessary for
> > > client app. For client side, there has Client Authentication
> Certificate
> > > respectively. In fact, you find a certain windows 2000 or 2003 server
> > > machine which can install the Microsoft Certificate Service, so that
you
> > > can create/send certificate request to it , from which you can see
those
> > > most popular types of certificates. In addition, professional
> Authority
> > > like Verisign will have much more types of certificates available, so
I
> > > still think it better you consult them on your scenario.
> > >
> > > Thanks,
> > >
> > > Steven Cheng
> > > Microsoft Online Support
> > >
> > > Get Secure! www.microsoft.com/security
> > > (This posting is provided "AS IS", with no warranties, and confers no
> > > rights.)
> > >
> > >
> > >
> > >
> > > --------------------
> > > From: <jason.chen@xxxxxxxxxxxxxxxxx>
> > > References: <Oo3#jyUuFHA.3756@xxxxxxxxxxxxxxxxxxxx>
> > > <NRnDAzcuFHA.768@xxxxxxxxxxxxxxxxxxxxx>
> > > <uK1wLCguFHA.596@xxxxxxxxxxxxxxxxxxxx>
> > > <dlKkV7luFHA.768@xxxxxxxxxxxxxxxxxxxxx>
> > > Subject: Re: what certificate to buy from Verisign ?
> > > Date: Thu, 15 Sep 2005 23:52:07 -0400
> > > Lines: 146
> > > X-Priority: 3
> > > X-MSMail-Priority: Normal
> > > X-Newsreader: Microsoft Outlook Express 6.00.3790.326
> > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
> > > Message-ID: <uKVnDInuFHA.3500@xxxxxxxxxxxxxxxxxxxx>
> > > Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
> > > NNTP-Posting-Host: a7cebc02.cst.lightpath.net 167.206.188.2
> > > Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
> > > Xref: TK2MSFTNGXA01.phx.gbl
> > > microsoft.public.dotnet.framework.webservices.enhancements:4897
> > > X-Tomcat-NG:
microsoft.public.dotnet.framework.webservices.enhancements
> > >
> > > hi Steven,
> > > I'd like X509 certificate to be used by both client and server,
you
> > > mentioned the server side can use a regular SSL certificate, can
client
> > also
> > > use a regular ssl certificate on client side?
> > >
> > > thanks,
> > > -Jason
> > >
> > > "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
> > > news:dlKkV7luFHA.768@xxxxxxxxxxxxxxxxxxxxxxxx
> > > > Thanks for your response Jason,
> > > >
> > > > As for the webservice client, it all depends on your application's
> > > security
> > > > authetication design. If you server doesn't use some authentication
> > schema
> > > > which require client certificates(x509 authentication based token
> > > > authentication....) or the server dosn't require the client to use
a
> > > > certain certificate to identitfy clientside, then client app do not
> need
> > > to
> > > > have a own certificate. This is just like when we use SSL without
> > > > requiring clientside certificate. Also, since you're using WSE,
if
> > you
> > > > have used x509 certificate token to sign message at both
> > > client/serverside,
> > > > then, the clientside also must have its own certificate.
> > > >
> > > > Thanks,
> > > >
> > > > Steven Cheng
> > > > Microsoft Online Support
> > > >
> > > > Get Secure! www.microsoft.com/security
> > > > (This posting is provided "AS IS", with no warranties, and confers
no
> > > > rights.)
> > > >
> > > >
> > > > --------------------
> > > > From: <jason.chen@xxxxxxxxxxxxxxxxx>
> > > > References: <Oo3#jyUuFHA.3756@xxxxxxxxxxxxxxxxxxxx>
> > > > <NRnDAzcuFHA.768@xxxxxxxxxxxxxxxxxxxxx>
> > > > Subject: Re: what certificate to buy from Verisign ?
> > > > Date: Thu, 15 Sep 2005 10:19:53 -0400
> > > > Lines: 83
> > > > X-Priority: 3
> > > > X-MSMail-Priority: Normal
> > > > X-Newsreader: Microsoft Outlook Express 6.00.3790.326
> > > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
> > > > Message-ID: <uK1wLCguFHA.596@xxxxxxxxxxxxxxxxxxxx>
> > > > Newsgroups:
microsoft.public.dotnet.framework.webservices.enhancements
> > > > NNTP-Posting-Host: a7cebc03.cst.lightpath.net 167.206.188.3
> > > > Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
> > > > Xref: TK2MSFTNGXA01.phx.gbl
> > > > microsoft.public.dotnet.framework.webservices.enhancements:4884
> > > > X-Tomcat-NG:
> microsoft.public.dotnet.framework.webservices.enhancements
> > > >
> > > > thanks Steven, I guess the server side can just purchase the normal
> > > > webserver certificate, what about the client side who consumes the
> > > > webservice? should they also get a normal webserver certificate or
> > > something
> > > > particular?
> > > >
> > > > many thanks,
> > > > -jason
> > > >
> > > > "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
> > > > news:NRnDAzcuFHA.768@xxxxxxxxxxxxxxxxxxxxxxxx
> > > > > Hi Jason,
> > > > >
> > > > > AS for the Certificate type you mentioned, for your scenario,
since
> > the
> > > > > certificate is mainly used to identitfy your server application
and
> > > build
> > > > a
> > > > > secure communication channel between client/server, I think a
normal
> > web
> > > > > server certificate is enough. Of course, there must has some guys
> > from
> > > > > Verisign who will help you find the proper certificate for yoru
> > > > > application.
> > > > >
> > > > > Thanks,
> > > > >
> > > > > Steven Cheng
> > > > > Microsoft Online Support
> > > > >
> > > > > Get Secure! www.microsoft.com/security
> > > > > (This posting is provided "AS IS", with no warranties, and confers
> no
> > > > > rights.)
> > > > >
> > > > >
> > > > > --------------------
> > > > > From: <jason.chen@xxxxxxxxxxxxxxxxx>
> > > > > Subject: what certificate to buy from Verisign ?
> > > > > Date: Wed, 14 Sep 2005 12:52:04 -0400
> > > > > Lines: 29
> > > > > X-Priority: 3
> > > > > X-MSMail-Priority: Normal
> > > > > X-Newsreader: Microsoft Outlook Express 6.00.3790.326
> > > > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
> > > > > Message-ID: <Oo3#jyUuFHA.3756@xxxxxxxxxxxxxxxxxxxx>
> > > > > Newsgroups:
> microsoft.public.dotnet.framework.webservices.enhancements
> > > > > NNTP-Posting-Host: a7cebc03.cst.lightpath.net 167.206.188.3
> > > > > Path:
> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
> > > > > Xref: TK2MSFTNGXA01.phx.gbl
> > > > > microsoft.public.dotnet.framework.webservices.enhancements:4873
> > > > > X-Tomcat-NG:
> > microsoft.public.dotnet.framework.webservices.enhancements
> > > > >
> > > > > Hi, my company plans to use WSE2.0 sp3 to secure the webservice
> > > > > communication between us and the client. now that we are looking
at
> > > > Verisign
> > > > > on what exactly to buy but the sales person at Verisign were not
> very
> > > > > helpful. and MSDN didn't provide any information on what exact
> > > certificate
> > > > > to buy from Verisign either, all it says is get certificate from a
> > > trusted
> > > > > CA, for example: Verisign.
> > > > >
> > > > > could someone point out which product to buy from verisign?
> > > > >
> > > > > some information on what I found so far:
> > > > >
> > > > > 1. after searched around, seems a lot of people are complaining
> > Verisign
> > > > > sales have no idea what to buy to encrypt and sign web services.
> > > > >
> > > > > 2. some people seem got regular SSL certificates working to
encrypt
> > and
> > > > > sign web service request, but will there be performance issues? is
> it
> > > > > recommened by Microsoft that an existing SSL certificate can be
used
> > for
> > > > > encrypt and sign webservice requests?
> > > > >
> > > > > 3. some people in various newsgroups are talking about using the
> > Digital
> > > > ID
> > > > > product from Verisign to encrypt and sign webservice requests,
> > > > >
> > > >
> > >
> >
>
(http://www.verisign.com/products-services/security-services/pki/pki-applica
> > > > > tion/email-digital-id/index.html), this is a product from Verisign
> to
> > > > secure
> > > > > emails. is this correct to use Digital ID? this thing is much
> cheaper
> > > than
> > > > > regular SSL certificates, only $19.99/Year
> > > > >
> > > > > Please help, thanks a lot.
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> >
> >
> >
>
>
>
.
- Follow-Ups:
- Re: FOLLOW UP - Re: what certificate to buy from Verisign ?
- From: Steven Cheng[MSFT]
- Re: FOLLOW UP - Re: what certificate to buy from Verisign ?
- References:
- what certificate to buy from Verisign ?
- From: jason.chen
- RE: what certificate to buy from Verisign ?
- From: Steven Cheng[MSFT]
- Re: what certificate to buy from Verisign ?
- From: jason.chen
- Re: what certificate to buy from Verisign ?
- From: Steven Cheng[MSFT]
- Re: what certificate to buy from Verisign ?
- From: jason.chen
- Re: what certificate to buy from Verisign ?
- From: Steven Cheng[MSFT]
- Re: what certificate to buy from Verisign ?
- From: jason.chen
- Re: what certificate to buy from Verisign ?
- From: Steven Cheng[MSFT]
- FOLLOW UP - Re: what certificate to buy from Verisign ?
- From: jason.chen
- RE: FOLLOW UP - Re: what certificate to buy from Verisign ?
- From: Steven Cheng[MSFT]
- what certificate to buy from Verisign ?
- Prev by Date: Re: how can we restrict what certificate WSE will use?
- Next by Date: Re: how can we restrict what certificate WSE will use?
- Previous by thread: RE: FOLLOW UP - Re: what certificate to buy from Verisign ?
- Next by thread: Re: FOLLOW UP - Re: what certificate to buy from Verisign ?
- Index(es):
Relevant Pages
|
Loading
