 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / August 2005securing service by ssl certificate
hi, what is the difference between securing a webservice using ssl and using x509 certificate to encrypt and sign webservice? using ssl, one will have to access the webservice by https://..../service.asmx by using x509, instead of ssl, one will have to access the service by http://.../service.asmx what are different between these 2, and will using both ssl and x509 to encrypt and sign soap messages make things most secure? thanks, -bao Hi bao, They are completely different. SLL secures the message at transport level, while WSE do that at application level. (Transport and application levels comes from the TCP/IP Stack) In a few words, WSE modifies the request and response messages to add security headers and secure the message (Using the WS-Security standar), it doesn't depend on the transport to protect the message. SLL can be used only to protect web services published on a web server using http, and it doesn't modify the message. Both use X509 certificates, but as I said before, they use them at different levels. Regards, Pablo Cibraro www.lagash.com > hi, what is the difference between securing a webservice using ssl and > using x509 certificate to encrypt and sign webservice? [quoted text clipped - 10 lines] > thanks, > -bao Thanks Pablo, then what's the most secure way to protect a webservices? should it be using X509 to encrypt and sign or use SSL with some user name and password? microsoft didn't provide any recommendation on this topic. to my best understanding, using x509 to ecnrypt the sign will involve certificate management nightmare, imagine that both parties will have to exchange their certificates, and if one expires, it has to get new certificate and send the public key to the other party, and both parties have to switch to the new public at the same time, and this process has to be mannual, because physical certificate has to be installed on each box hosting the app. on the other hand, if using SSL + username password is secure enought, there are not much certificate management involved, only the server side need to get new certificate when it expires, and when server updates its certificate, the whole thing still works because public key is automatically sent to the client. you mentioned ssl is only good for webservice published through http protocol, are you indicating webservices can be published through other protocols? thanks for your help -bao Both methods are extremely secure. You should choose one acording to your application requeriments. In your case, maybe SSL is the best option, because you want to publish a simple web service, and you don't want to have problems managing certificates. Yes, web services can be published through other protocols such as TCP, MSMQ, etc. That's a feature provided by WSE messaging. > Thanks Pablo, > then what's the most secure way to protect a webservices? should it [quoted text clipped - 19 lines] > thanks for your help > -bao Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.