Re: FOLLOW UP - Re: what certificate to buy from Verisign ?

Tech-Archive recommends: Speed Up your PC by fixing your registry

{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Hi Jason,
\par
\par Of course the sessionkey will be expired and regenerated after connection closed and new connection established. Also, during a live connection's lifecycle, the SessionKey will also expire and be regenerated according to the timespan is has across so as to ensure the channel's secure. In addition, for SSL between server to server, I think it's the same with client to server, in fact when a server use HTTPS to call webservice at another server protected by SSL/TLS, the server which send the request is just the "CLIENT", so server/client is a logic concept.
\par
\par Thanks,
\par
\par Steven Cheng
\par Microsoft Online Support
\par
\par Get Secure! www.microsoft.com/security
\par (This posting is provided "AS IS", with no warranties, and confers no rights.)
\par
\par \pard\li720 --------------------
\par From: <jason.chen@xxxxxxxxxxxxxxxxx>
\par References: <Oo3#jyUuFHA.3756@xxxxxxxxxxxxxxxxxxxx> <NRnDAzcuFHA.768@xxxxxxxxxxxxxxxxxxxxx> <uK1wLCguFHA.596@xxxxxxxxxxxxxxxxxxxx> <dlKkV7luFHA.768@xxxxxxxxxxxxxxxxxxxxx> <uKVnDInuFHA.3500@xxxxxxxxxxxxxxxxxxxx> <gRqUmbouFHA.1080@xxxxxxxxxxxxxxxxxxxxx> <Oxmu91IvFHA.3452@xxxxxxxxxxxxxxxxxxxx> <gGB5JtLvFHA.768@xxxxxxxxxxxxxxxxxxxxx> <eqSVtJgvFHA.2076@xxxxxxxxxxxxxxxxxxxx> <M10VK0ovFHA.580@xxxxxxxxxxxxxxxxxxxxx>
\par Subject: Re: FOLLOW UP - Re: what certificate to buy from Verisign ?
\par Date: Wed, 21 Sep 2005 12:58:55 -0400
\par Lines: 388
\par X-Priority: 3
\par X-MSMail-Priority: Normal
\par X-Newsreader: Microsoft Outlook Express 6.00.3790.326
\par X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
\par Message-ID: <ei#DE3svFHA.908@xxxxxxxxxxxxxxxxxxxx>
\par Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par NNTP-Posting-Host: a7cebc03.cst.lightpath.net 167.206.188.3
\par Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
\par Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.dotnet.framework.webservices.enhancements:4946
\par X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
\par
\par Hi Steven,
\par thanks for getting back to me. SSL is possible in my scenario, but I
\par have some doubts about using SSL in a server to server scenario, let me
\par explain:
\par
\par in a typical scenario of Browser talking to server through SSL, a SSL
\par handshake is done, and a session key is established, session key is
\par transferred back to browser from server. and browser can use the generated
\par session key to send request to the server as long as the browser remain
\par open. if browser closes down, session will be lost, if new browser instance
\par opens, new SSL handshake have to be done, new session key will be generated
\par and transferred back to browser.
\par
\par in a sccenario of server talking to server through SSL, SSL handshake will
\par be done when server tries to send request to the other server through https.
\par session key will be transferred back, and as long as the connection not
\par closed down, same session key will be used. the catch here is in most server
\par to server scenario, I think connections have to be closed once the request
\par is done. or in this scenario, should we put the opened https connection into
\par a connection pool? I think I'm lost in this. also, will the session key ever
\par expire?
\par
\par thanks,
\par -jason
\par
\par "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
\par news:M10VK0ovFHA.580@xxxxxxxxxxxxxxxxxxxxxxxx
\par > Hi Jason,
\par >
\par > Thanks for your followup.
\par > The verisign guy's suggestion is reasonable from security perspective
\par since
\par > Asymmetric encryption is really more secure, but also more performance
\par > cost. Generally, we'll use asymmetric encrytion to transfer sessionkey
\par > and then use that sessionkey to do symmetric encryption for all the
\par > sequential commuincation. That's also what SLL/TLS does.
\par >
\par > For HTTPS/SSL, of course I'd recommend you consider it if SSL/TLS is
\par really
\par > possible for your scenario. The SSL/TLS just provide a secuire point to
\par > point channel which ensure confidential, integrity .... And though WSE
\par > also priovde these features, the SSL/TLS's implementation is surely more
\par > robust and sophisticated. And the WSE's strong point is that it provide
\par > more flexible and wide applicaiton scenario, which is not limited to
\par > webserver scenario, (generally SSL/TLS require our server service be
\par hosted
\par > in a sophisticated webserver like IIS/ Apache or other applicaiton
\par > server). While WSE application can be hosted in any .NET application.
\par >
\par > Thanks,
\par >
\par > Steven Cheng
\par > Microsoft Online Support
\par >
\par > Get Secure! www.microsoft.com/security
\par > (This posting is provided "AS IS", with no warranties, and confers no
\par > rights.)
\par > --------------------
\par > From: <jason.chen@xxxxxxxxxxxxxxxxx>
\par > References: <Oo3#jyUuFHA.3756@xxxxxxxxxxxxxxxxxxxx>
\par > <NRnDAzcuFHA.768@xxxxxxxxxxxxxxxxxxxxx>
\par > <uK1wLCguFHA.596@xxxxxxxxxxxxxxxxxxxx>
\par > <dlKkV7luFHA.768@xxxxxxxxxxxxxxxxxxxxx>
\par > <uKVnDInuFHA.3500@xxxxxxxxxxxxxxxxxxxx>
\par > <gRqUmbouFHA.1080@xxxxxxxxxxxxxxxxxxxxx>
\par > <Oxmu91IvFHA.3452@xxxxxxxxxxxxxxxxxxxx>
\par > <gGB5JtLvFHA.768@xxxxxxxxxxxxxxxxxxxxx>
\par > Subject: FOLLOW UP - Re: what certificate to buy from Verisign ?
\par > Date: Tue, 20 Sep 2005 12:43:28 -0400
\par > Lines: 284
\par > X-Priority: 3
\par > X-MSMail-Priority: Normal
\par > X-Newsreader: Microsoft Outlook Express 6.00.3790.326
\par > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
\par > Message-ID: <eqSVtJgvFHA.2076@xxxxxxxxxxxxxxxxxxxx>
\par > Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par > NNTP-Posting-Host: a7cebc03.cst.lightpath.net 167.206.188.3
\par > Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
\par > Xref: TK2MSFTNGXA01.phx.gbl
\par > microsoft.public.dotnet.framework.webservices.enhancements:4929
\par > X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
\par >
\par > HI Steven,
\par > this is an update on this thread, I just had a call with a Verisign
\par > senior engineer, and he had very strong opinions on using asymetric
\par > encryptions.
\par > first thing he said when I tried to explain to him WSE2 uses asymetric
\par > encryption is 'asymetric encryption is 1000 times slower than symetric
\par > encryption', then he recommended to use HTTPS protocol to protect the data
\par > on the transport level instead of using HTTP and protect the data on the
\par > application level. he also said by protecting data on application level,
\par > it'll be much slower and will be easier for brute force attack.
\par > what I'd like to find out from you is, do you have any performance
\par > matrix on how much performance overhead will be added by using x.509
\par > certificates to encrypt the sign the data comparing to not encrypting and
\par > sign the data?
\par > also, do you have any comment on using HTTPS vs. using HTTP + WSE2
\par > encryption and signing?
\par >
\par > thanks,
\par > -Jason
\par >
\par > "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
\par > news:gGB5JtLvFHA.768@xxxxxxxxxxxxxxxxxxxxxxxx
\par > > You're welcome Jason,
\par > >
\par > > If there're any further things we can help later, please feel free to
\par post
\par > > here.
\par > > Good luck!
\par > >
\par > > Steven Cheng
\par > > Microsoft Online Support
\par > >
\par > > Get Secure! www.microsoft.com/security
\par > > (This posting is provided "AS IS", with no warranties, and confers no
\par > > rights.)
\par > > --------------------
\par > > From: <jason.chen@xxxxxxxxxxxxxxxxx>
\par > > References: <Oo3#jyUuFHA.3756@xxxxxxxxxxxxxxxxxxxx>
\par > > <NRnDAzcuFHA.768@xxxxxxxxxxxxxxxxxxxxx>
\par > > <uK1wLCguFHA.596@xxxxxxxxxxxxxxxxxxxx>
\par > > <dlKkV7luFHA.768@xxxxxxxxxxxxxxxxxxxxx>
\par > > <uKVnDInuFHA.3500@xxxxxxxxxxxxxxxxxxxx>
\par > > <gRqUmbouFHA.1080@xxxxxxxxxxxxxxxxxxxxx>
\par > > Subject: Re: what certificate to buy from Verisign ?
\par > > Date: Sun, 18 Sep 2005 16:13:51 -0400
\par > > Lines: 212
\par > > X-Priority: 3
\par > > X-MSMail-Priority: Normal
\par > > X-Newsreader: Microsoft Outlook Express 6.00.3790.326
\par > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
\par > > Message-ID: <Oxmu91IvFHA.3452@xxxxxxxxxxxxxxxxxxxx>
\par > > Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par > > NNTP-Posting-Host: a7cebc03.cst.lightpath.net 167.206.188.3
\par > > Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
\par > > Xref: TK2MSFTNGXA01.phx.gbl
\par > > microsoft.public.dotnet.framework.webservices.enhancements:4913
\par > > X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
\par > >
\par > > thanks steven for following up, I guess I have to schedule a call with
\par > > verisign to work this out then.
\par > >
\par > > -Jason
\par > >
\par > > "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
\par > > news:gRqUmbouFHA.1080@xxxxxxxxxxxxxxxxxxxxxxxx
\par > > > Hi Jason,
\par > > >
\par > > > Server certificate is used by server service, and is not necessary for
\par > > > client app. For client side, there has Client Authentication
\par > Certificate
\par > > > respectively. In fact, you find a certain windows 2000 or 2003 server
\par > > > machine which can install the Microsoft Certificate Service, so that
\par you
\par > > > can create/send certificate request to it , from which you can see
\par those
\par > > > most popular types of certificates. In addition, professional
\par > Authority
\par > > > like Verisign will have much more types of certificates available, so
\par I
\par > > > still think it better you consult them on your scenario.
\par > > >
\par > > > Thanks,
\par > > >
\par > > > Steven Cheng
\par > > > Microsoft Online Support
\par > > >
\par > > > Get Secure! www.microsoft.com/security
\par > > > (This posting is provided "AS IS", with no warranties, and confers no
\par > > > rights.)
\par > > >
\par > > >
\par > > >
\par > > >
\par > > > --------------------
\par > > > From: <jason.chen@xxxxxxxxxxxxxxxxx>
\par > > > References: <Oo3#jyUuFHA.3756@xxxxxxxxxxxxxxxxxxxx>
\par > > > <NRnDAzcuFHA.768@xxxxxxxxxxxxxxxxxxxxx>
\par > > > <uK1wLCguFHA.596@xxxxxxxxxxxxxxxxxxxx>
\par > > > <dlKkV7luFHA.768@xxxxxxxxxxxxxxxxxxxxx>
\par > > > Subject: Re: what certificate to buy from Verisign ?
\par > > > Date: Thu, 15 Sep 2005 23:52:07 -0400
\par > > > Lines: 146
\par > > > X-Priority: 3
\par > > > X-MSMail-Priority: Normal
\par > > > X-Newsreader: Microsoft Outlook Express 6.00.3790.326
\par > > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
\par > > > Message-ID: <uKVnDInuFHA.3500@xxxxxxxxxxxxxxxxxxxx>
\par > > > Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par > > > NNTP-Posting-Host: a7cebc02.cst.lightpath.net 167.206.188.2
\par > > > Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
\par > > > Xref: TK2MSFTNGXA01.phx.gbl
\par > > > microsoft.public.dotnet.framework.webservices.enhancements:4897
\par > > > X-Tomcat-NG:
\par microsoft.public.dotnet.framework.webservices.enhancements
\par > > >
\par > > > hi Steven,
\par > > > I'd like X509 certificate to be used by both client and server,
\par you
\par > > > mentioned the server side can use a regular SSL certificate, can
\par client
\par > > also
\par > > > use a regular ssl certificate on client side?
\par > > >
\par > > > thanks,
\par > > > -Jason
\par > > >
\par > > > "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
\par > > > news:dlKkV7luFHA.768@xxxxxxxxxxxxxxxxxxxxxxxx
\par > > > > Thanks for your response Jason,
\par > > > >
\par > > > > As for the webservice client, it all depends on your application's
\par > > > security
\par > > > > authetication design. If you server doesn't use some authentication
\par > > schema
\par > > > > which require client certificates(x509 authentication based token
\par > > > > authentication....) or the server dosn't require the client to use
\par a
\par > > > > certain certificate to identitfy clientside, then client app do not
\par > need
\par > > > to
\par > > > > have a own certificate. This is just like when we use SSL without
\par > > > > requiring clientside certificate. Also, since you're using WSE,
\par if
\par > > you
\par > > > > have used x509 certificate token to sign message at both
\par > > > client/serverside,
\par > > > > then, the clientside also must have its own certificate.
\par > > > >
\par > > > > Thanks,
\par > > > >
\par > > > > Steven Cheng
\par > > > > Microsoft Online Support
\par > > > >
\par > > > > Get Secure! www.microsoft.com/security
\par > > > > (This posting is provided "AS IS", with no warranties, and confers
\par no
\par > > > > rights.)
\par > > > >
\par > > > >
\par > > > > --------------------
\par > > > > From: <jason.chen@xxxxxxxxxxxxxxxxx>
\par > > > > References: <Oo3#jyUuFHA.3756@xxxxxxxxxxxxxxxxxxxx>
\par > > > > <NRnDAzcuFHA.768@xxxxxxxxxxxxxxxxxxxxx>
\par > > > > Subject: Re: what certificate to buy from Verisign ?
\par > > > > Date: Thu, 15 Sep 2005 10:19:53 -0400
\par > > > > Lines: 83
\par > > > > X-Priority: 3
\par > > > > X-MSMail-Priority: Normal
\par > > > > X-Newsreader: Microsoft Outlook Express 6.00.3790.326
\par > > > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
\par > > > > Message-ID: <uK1wLCguFHA.596@xxxxxxxxxxxxxxxxxxxx>
\par > > > > Newsgroups:
\par microsoft.public.dotnet.framework.webservices.enhancements
\par > > > > NNTP-Posting-Host: a7cebc03.cst.lightpath.net 167.206.188.3
\par > > > > Path:
\par TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
\par > > > > Xref: TK2MSFTNGXA01.phx.gbl
\par > > > > microsoft.public.dotnet.framework.webservices.enhancements:4884
\par > > > > X-Tomcat-NG:
\par > microsoft.public.dotnet.framework.webservices.enhancements
\par > > > >
\par > > > > thanks Steven, I guess the server side can just purchase the normal
\par > > > > webserver certificate, what about the client side who consumes the
\par > > > > webservice? should they also get a normal webserver certificate or
\par > > > something
\par > > > > particular?
\par > > > >
\par > > > > many thanks,
\par > > > > -jason
\par > > > >
\par > > > > "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
\par > > > > news:NRnDAzcuFHA.768@xxxxxxxxxxxxxxxxxxxxxxxx
\par > > > > > Hi Jason,
\par > > > > >
\par > > > > > AS for the Certificate type you mentioned, for your scenario,
\par since
\par > > the
\par > > > > > certificate is mainly used to identitfy your server application
\par and
\par > > > build
\par > > > > a
\par > > > > > secure communication channel between client/server, I think a
\par normal
\par > > web
\par > > > > > server certificate is enough. Of course, there must has some guys
\par > > from
\par > > > > > Verisign who will help you find the proper certificate for yoru
\par > > > > > application.
\par > > > > >
\par > > > > > Thanks,
\par > > > > >
\par > > > > > Steven Cheng
\par > > > > > Microsoft Online Support
\par > > > > >
\par > > > > > Get Secure! www.microsoft.com/security
\par > > > > > (This posting is provided "AS IS", with no warranties, and confers
\par > no
\par > > > > > rights.)
\par > > > > >
\par > > > > >
\par > > > > > --------------------
\par > > > > > From: <jason.chen@xxxxxxxxxxxxxxxxx>
\par > > > > > Subject: what certificate to buy from Verisign ?
\par > > > > > Date: Wed, 14 Sep 2005 12:52:04 -0400
\par > > > > > Lines: 29
\par > > > > > X-Priority: 3
\par > > > > > X-MSMail-Priority: Normal
\par > > > > > X-Newsreader: Microsoft Outlook Express 6.00.3790.326
\par > > > > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
\par > > > > > Message-ID: <Oo3#jyUuFHA.3756@xxxxxxxxxxxxxxxxxxxx>
\par > > > > > Newsgroups:
\par > microsoft.public.dotnet.framework.webservices.enhancements
\par > > > > > NNTP-Posting-Host: a7cebc03.cst.lightpath.net 167.206.188.3
\par > > > > > Path:
\par > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
\par > > > > > Xref: TK2MSFTNGXA01.phx.gbl
\par > > > > > microsoft.public.dotnet.framework.webservices.enhancements:4873
\par > > > > > X-Tomcat-NG:
\par > > microsoft.public.dotnet.framework.webservices.enhancements
\par > > > > >
\par > > > > > Hi, my company plans to use WSE2.0 sp3 to secure the webservice
\par > > > > > communication between us and the client. now that we are looking
\par at
\par > > > > Verisign
\par > > > > > on what exactly to buy but the sales person at Verisign were not
\par > very
\par > > > > > helpful. and MSDN didn't provide any information on what exact
\par > > > certificate
\par > > > > > to buy from Verisign either, all it says is get certificate from a
\par > > > trusted
\par > > > > > CA, for example: Verisign.
\par > > > > >
\par > > > > > could someone point out which product to buy from verisign?
\par > > > > >
\par > > > > > some information on what I found so far:
\par > > > > >
\par > > > > > 1. after searched around, seems a lot of people are complaining
\par > > Verisign
\par > > > > > sales have no idea what to buy to encrypt and sign web services.
\par > > > > >
\par > > > > > 2. some people seem got regular SSL certificates working to
\par encrypt
\par > > and
\par > > > > > sign web service request, but will there be performance issues? is
\par > it
\par > > > > > recommened by Microsoft that an existing SSL certificate can be
\par used
\par > > for
\par > > > > > encrypt and sign webservice requests?
\par > > > > >
\par > > > > > 3. some people in various newsgroups are talking about using the
\par > > Digital
\par > > > > ID
\par > > > > > product from Verisign to encrypt and sign webservice requests,
\par > > > > >
\par > > > >
\par > > >
\par > >
\par >
\par (http://www.verisign.com/products-services/security-services/pki/pki-applica
\par > > > > > tion/email-digital-id/index.html), this is a product from Verisign
\par > to
\par > > > > secure
\par > > > > > emails. is this correct to use Digital ID? this thing is much
\par > cheaper
\par > > > than
\par > > > > > regular SSL certificates, only $19.99/Year
\par > > > > >
\par > > > > > Please help, thanks a lot.
\par > > > > >
\par > > > > >
\par > > > > >
\par > > > >
\par > > > >
\par > > > >
\par > > >
\par > > >
\par > > >
\par > >
\par > >
\par > >
\par >
\par >
\par >
\par
\par
\par \pard
\par
\par }