Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / September 2004

Tip: Looking for answers? Try searching our database.

Policy settings tool and username tokens (not x509)

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Julie Lerman - 27 Sep 2004 18:18 GMT
If I am starting out with username ONLY , no x509 etc certificates in my
wse2 solution, I'm confused by the need (via settings tool) to select a
digital certificate.

I'm securing a client application.

I have (for now) deselected require sigs and encryption on the request
message and selected only requires signatures on the reponse (outgoing)
message, since I am only interested in my webservice being sure of WHO is
making the request.

However I still get the Trusted Server Certificates window with the info
"Choose the x.509 certificates that can be used to authenticate the service.
This certificate will be used if Request Encryption is chosen."
I have not chosen request encrtypion.

I would really like to use wse2 to secure my client's application right now
without telling them they have to go out and buy x509 certificates for 40
machines and their servers.

So I want to implement this using username only.

Thanks

Julie
Reply to this Message
Hervey Wilson [MSFT] - 28 Sep 2004 06:40 GMT
> If I am starting out with username ONLY , no x509 etc certificates in my
> wse2 solution, I'm confused by the need (via settings tool) to select a
[quoted text clipped - 21 lines]
>
> Julie

You cannot do this securely with only a UsernameToken, this is why the
tool asks for the services token so that it can not only sign the
message but also encrypt it and the UsernameToken.

Having both client and server tokens allows the default WSE client to
enforce at least a limited form of mutual authentication: the client
signs with token A and encrypts with token B, it then requires that the
response be encrypted with token A and signed with token B. Anything
less leaves response messages open to attack.

You don't have to buy 40 certificates at all, unlike HTTPS WSE will not
require that the CN name in the certificate match the name of the
computer that the request is sent to. You could therefore use the same
certificate on a number of servers (be sure to block export of the key
and set restrictive permissions on it to prevent physical attacks
against the servers).

Signature

This posting is provided "AS IS", with no warranties, and confers no rights.

Reply to this Message
Julie Lerman - 28 Sep 2004 16:11 GMT
(bear with me - I am trying to work this stuff out so that I can eliminate
my own questions and be better able to teach this stuff to others. I am no
security expert....caveat caveat caveat <g>)

Totally grok about the extra super duper security with x509. However, if I
have explicitly chosen not to encrypt the request or response messages (not
talking about the digest created via digital sig) and it *is* indeed
possible (if not recommended) to digitally sign with a usernametoken, AND
the wse setup tool is telling me "I'm making you give me an x509 server cert
because you chose to do request encryption" when I actually did not choose
to do any encryption, something isn't right.

I am working from the client app here.

(I think ) Basically either the tool does not want to allow me to deselect
encryption, or the tool is giving me that screen when it doesn't mean to.
Does that make sense? If it's confusing to me, it's going to be confusing to
others. I assure you, I'm a very good baseline for the target audience! The
tool is doing a fantastic job of handholding people through this process.
But if it is giving possible misinformation, then we'll be little lost
lambs.

thanks much, Hervey

julie

> > If I am starting out with username ONLY , no x509 etc certificates in my
> > wse2 solution, I'm confused by the need (via settings tool) to select a
[quoted text clipped - 38 lines]
> and set restrictive permissions on it to prevent physical attacks
> against the servers).
Reply to this Message
Hervey Wilson [MSFT] - 28 Sep 2004 16:38 GMT
> (bear with me - I am trying to work this stuff out so that I can eliminate
> my own questions and be better able to teach this stuff to others. I am no
[quoted text clipped - 17 lines]
> But if it is giving possible misinformation, then we'll be little lost
> lambs.

Thanks for the info, I'll file a bug against this today and have it
investigated for SP2. In the future, if you believe that you've found a
bug in the product, please report it to the WSE Feedback alias (wsefeed
at microsoft.com) so that it gets visibility with the product team and
can be actioned.

Signature

This posting is provided "AS IS", with no warranties, and confers no rights.

Reply to this Message
Julie Lerman - 28 Sep 2004 17:53 GMT
LOL - I didnt' think these were bugs. I just assumed I was doing something
wrong! <g>
thanks for you help.

julie

> > (bear with me - I am trying to work this stuff out so that I can eliminate
> > my own questions and be better able to teach this stuff to others. I am no
[quoted text clipped - 23 lines]
> at microsoft.com) so that it gets visibility with the product team and
> can be actioned.
Reply to this Message
Hervey Wilson [MSFT] - 29 Sep 2004 05:44 GMT
> LOL - I didnt' think these were bugs. I just assumed I was doing something
> wrong! <g>
> thanks for you help.
>
> julie

It turns out that this may not be a code bug, only a problem with the
message text, dependent on which signing options you specified.

Remembering that request encryption and response signing use the same
token (the service token), if you selected either of these options then
the tool will demand that you specify the server token, however the
error message only refers to request encryption and is therefore
misleading and will be changed for SP2.

Let me know if this is the case so I can close the issue.

Signature

This posting is provided "AS IS", with no warranties, and confers no rights.

Reply to this Message
Julie Lerman - 30 Sep 2004 02:54 GMT
Yup - it's the message.

If I select Sign request and sign response, I do get the x509 screen - which
makes sense because how else is the server going to sign the response? - but
it says I'm getting the message because I selected to encrypt the request.

The screen for choosing token type is explicit in saying Client Token.

Julie

> > LOL - I didnt' think these were bugs. I just assumed I was doing something
> > wrong! <g>
[quoted text clipped - 12 lines]
>
> Let me know if this is the case so I can close the issue.
Reply to this Message

 Rate this thread:







Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.