Hi all,
I'm writing a Web service and face with this problem:
The client must send it's Certificate to server so that the server can check
whether client can get data or not.
Due to some reasons, I don't want to use Https protocol. So I try with WSE
3.0.
But I want to know that when the certificate goes on Internet, does WSE
encrypt it?
If not, the hacker can get client's certificate and use it to get data from
server?(because the server depends on the client's certificate to check the
permission)
Thanks for your answers,

Hi Hung,

WSE uses combinations of encryption and digital signatures to protect your
data and privacy. As for the client certificate you only transfer the public
key.

From your description you would probably want to use one of the
'mutualCertificate' policy assertions, which basically makes everything work
right out the box. Take a look at the WSE documentation and the sample in
%Program Files%\Microsoft
WSE\v3.0\Samples\CS\QuickStart\Security\WSSecurityCertificate but remember to
install the certificates as described in %Program Files%\Microsoft
WSE\v3.0\Samples\readme.htm

Hope that gets you going - but if you are developing real working solutions,
you may want to read up on the concepts behind certificates.

Good luck.


[quoted text, click to view]