SSL for very simple security need in web service app

[news.microsoft.com]

I'm looking for a nudge in the right direction.

We have an order processing system that currently has a simple ASP.NET web
interface. Various clients who want to place orders already have a userID
and password specified within our application (i.e., not Windows
authentication) that they must supply in order to logon to their 'account'
and submit orders for themselves. They communicate from a browser over the
public internet. The browsers/server utilize SSL for encrypting the web
traffic.

We'd now like to implement this functionality as a web service to interact
with some desktop applications that can generate orders. We'd like to have
the remote app simply transfer the data, presumably in an XML format that we
already have defined, over the public internet, providing their userID and
password.

My question is: if we just add the userID and password in the XML
schema/data, is the SSL layer sufficient to ensure that anyone who might
intercept the traffic en route would not be able to determine the UserID and
password? Once we have the XML data in our app, it would be a trivial matter
to determine if the data is coming from a source that had a legitimate,
active UserID and a valid password. And that's pretty much all we'd need.

I read about WSE, WS-Security, etc. and it all seems like so much overkill
for my needs -- but I can't locate a single, simple scenario that looks like
what I have in mind here.

Any direction would be greatly appreciated!

Rob Schripsema
DeWaard and Jones Company
Bellingham, WA

 

[news.microsoft.com]

My apologies....

That last note went out with a user name of "news.microsoft.com". Apparently
my news reader was misconfigured. It was really from me.

Rob Schripsema
DeWaard and Jones

 

[CESAR DE LA TORRE [MVP]]

If you have a simple scenario, and just end-to-end communication (you do not
have several end-points or middle end-points, and I mean Web-Services Servers
end-points), then, SSL might be enough for you.
About WSE 3.0 and WCF in the future (Windows Communication Foundatio, code
name as Indigo), when talking about security, it offers security at message
level instead of security at transport protocol level (like SSL). It is
better for complex scenarios, middle points WebServices where you don't want
to trust at transport level, so, you can encrypt and signg at message level.
With theses new technologies you also have new standars for complex
communications like WS-SecureConversation, etc.

So, if you have a very simple scenario, SSL might be OK. And of course, it
is secure enough (if you want more security with SSL, use a 128bit Server
Certificate, do not use a 64bit Server Cert.).
--
CESAR DE LA TORRE
Software Architect
[Microsoft MVP - XML Web Services]
[MCSE] [MCT]

Renacimiento
[Microsoft GOLD Certified Partner]

 

[Rob Schripsema]

Cesar,

Thanks for the info. There is only a single end point here, a web service
app that simply takes order info, validates it and applies it to a database.
The clients are a variety of apps that will want to send a simple XML
formatted data stream as a single chunk over https: to the web service
address, and then process a simple reply. This is a small business taking
orders from other small businesses.

I would think this is a common need in the industry -- not at the enterprise
level, perhaps, but for the millions of small businesses out there that I
deal with, this is a common scenario. All of the talk about WSE, WCF and so
on tends to cloud the basic issues for the simple scenarios.

Thanks again for your help.

Rob Schripsema
DeWaard and Jones Company

If you have a simple scenario, and just end-to-end communication (you do
not
have several end-points or middle end-points, and I mean Web-Services
Servers
end-points), then, SSL might be enough for you.
About WSE 3.0 and WCF in the future (Windows Communication Foundatio, code
name as Indigo), when talking about security, it offers security at
message
level instead of security at transport protocol level (like SSL). It is
better for complex scenarios, middle points WebServices where you don't
want
to trust at transport level, so, you can encrypt and signg at message
level.
With theses new technologies you also have new standars for complex
communications like WS-SecureConversation, etc.

So, if you have a very simple scenario, SSL might be OK. And of course, it
is secure enough (if you want more security with SSL, use a 128bit Server
Certificate, do not use a 64bit Server Cert.).
--
CESAR DE LA TORRE
Software Architect
[Microsoft MVP - XML Web Services]
[MCSE] [MCT]

Renacimiento
[Microsoft GOLD Certified Partner]

My apologies....

That last note went out with a user name of "news.microsoft.com".
Apparently
my news reader was misconfigured. It was really from me.

Rob Schripsema
DeWaard and Jones