 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / February 2006Question about X.509 certs
I've read through the volumes of docs regarding WSE 3.0 and it seems that using X.509 certificates for message-layer security is a highly effective way to handle the variety of security concerns we have when implementing B2B web services. Being a relative X.509 newbie, I have a question of a logistical nature. Let's say I'm hosting multiple web services accessed by multiple business partners. Certs in this context are generally pegged to URI's, aren't they? In that case, can't I use a single cert if all of my services use the same root URI with virtual directories? Then, of course, each client must have it's own cert with whom we exchange public keys. So we'd be providing the same public key to all of our business partners. Am I missing something here, or is this scenario feasible? Cost is probably the biggest issue when considering an X.509-based solution. If a single cert will suffice, cost is really no longer a factor from our perspective. Please let me know your thoughts. Thanks. Bump! Can someone help with this question? If not, can you point to the appropriate place to ask it? It's very important to my current research. Thanks! Chris > I've read through the volumes of docs regarding WSE 3.0 and it seems that > using X.509 certificates for message-layer security is a highly effective way [quoted text clipped - 15 lines] > > Please let me know your thoughts. Thanks. I don't believe that the cert has to be tied to a particular URI, as the WSE code samples wouldn't work for anyone (unless they are doing something funky with the testroot certs). Take this for what it's worth, as I'm not positive. > Bump! Can someone help with this question? If not, can you point to the > appropriate place to ask it? It's very important to my current research. [quoted text clipped - 21 lines] > > > > Please let me know your thoughts. Thanks. Chris, As Techno_Dex said above, the certs aren't tied to a particular URI. Using a single cert with all your clients defeats the purpose of an X509. Sounds like your scenario is what WS-Trust was created to handle. The key piece of your infrastructure should be that you have to create TRUST in all of your relationships. WS-Trust addresses the question of "How can one client authenticate securely in one place, but still be able to access other WS's outside our domain and have the other domain trust us?" An STS server does just that. There is actually a quite good STS Quickstart just released on the 17th January which I've been playing around with quite a bit. Not exactly production ready, but it helps with the understanding of how STS fits in. Hope this helps. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.