I'm working on a test application to implement and examine the requirements of WCF Security before implementation into a development system. The scenario is as follows:
- Client Server Windows Forms Application
- aspnet Membership Provider - username and password authentication
- WCF Services deployed in IIS 6.0 exposed over the Internet
- VS2008, VB.NET, Windows 2003 Server, SQL Server 2005, Dev on XP
The following link is pretty much the scenario and the guiding force behind what I've been doing so far:
So i'm trying to decide on the security needs and I'm currently trying to get this working in a test app with Message Level security, Username Credentials (aspnet membership) and wsHttpBinding. One design goal is to avoid having to install certificates on the client machines, but i'm not sure if this is possible. I've installed a test service certificate on my development machine and it is working, but i'm not sure if the certificate is acting as both client & server certificate.
I'm a little unsure as to this statement:
"For validating the service certificate, the Root CA certificate is installed on the client machine in the Trusted Root Certification Authorities location."
If we were to purchase a service certificate from Verisign (other reputable companies are available), would the client require anything installed on their machine, as such companies already appear in trusted CA's? Our fallback position if to go for standard SSL Transport Security, and I'm wondering if I should give up and start looking at it now?
Any help would be greatly appreciated.