locked
If ClientCredentialType is not certificate, which certificate is used for signing messages RRS feed

  • Question

  • I have read on the below link, that in PKI, private key is used for signing (which indicates client certificate private key)
    http://msdn.microsoft.com/en-us/library/ms731846.aspx

    Now if ClientCredentialType is not Certificate, Then how are the Messages signed in WCF

    The default ProtectionLevel in WCF is EncryptandSign given at below msdn link
    http://msdn.microsoft.com/en-us/library/aa347692.aspx

    The documentation at above link says
    "If you select a binding that enables security and you do not set the ProtectionLevel property anywhere on the contract, all application data will be encrypted and signed."

    So my concern is If secure Binding like wsHttpBinding with Server Cert is used and ClientCredentialType is Not Certificate, Then how are the messages signed

    The only Certificate available here is Server Certificate and that I dont think can be used for signing messages sent from client to server, because private key wont be there with client, Only Public key of Server Cert is available with client

    Wednesday, February 9, 2011 6:18 AM

Answers

  • Commonly the client generates a session key and encrypts it with the public key of the server cert. The server then decrypts the session key which is then used for encrypting and signing. This is how SSL and WS-SecureConversation work. Using an algorithm with a single key (symmetric algorithm) is faster than using one with a key pair (asymmetric algorithm)


    Richard Blewett, thinktecture - http://www.dotnetconsult.co.uk/weblog2
    Twitter: richardblewett
    • Marked as answer by Yi-Lun Luo Tuesday, February 15, 2011 9:06 AM
    Wednesday, February 9, 2011 10:09 AM