Hi

We have recently been looking into implementing secure web services
into our ASP.NET application using the Microsoft WSE 3.0 SDK. This SDK
is Microsoft's implementation of the WSI standard. We are trying to
implement message layer security with X.509 certificates in WSE 3.0.

This is where my problem begins. I am new to the process of using
certificates am a bit ignorant so please forgive me. Firstly I'm not
sure which certificate option I need to use. I've been told by Thawte
that SSL, SGC and SSL123 will suffice as these conform to the X.509
standard.

So what we want to achieve is the following. I need two certificates,
one for the server and one for the client. The server needs
public/private key pair and the client certificate needs the public
key. The client will provide a username and password that will be
attached to the message and encrypted using the public key sent to the
server. The server will decrypt the message and authenticate the
username token against a db. The samples that came with the Microsoft
WSE sdk used a server certificate and personal certificates (pfx
files). Apparently Verisign provide personal certificates for business
use. I've managed to get an end to end prototype going and all i need
now is to purchase the certificates from a certificate authority.

Now do I need a separate client certificate for each client? Thawte
mention MPKI Lite as a possible solution to this. How much is this
solution and what does it entail?

Also I would need a server certificate. Which certificate would be
suitable here?

We estimate about 50 clients using the smart client application that
will use the secure web service so this has to be cost effective!

Could you please shed some light on this situation?

Any help here would be most appreciated as I am getting lost here in
something i though would be very simple. Maybe i need to rethink this
strategy and not use certifcates at all???

Damian