Daily Archives: August 27, 2004

Longhorn buzz

Just Rambling

So far, I’ve only seen positive feedback on today’s Longhorn announcements by .net developers in the blog space. I am not referring to any Microsoft employees, but regular developers. From what I’ve read, developer feedback had a role in this decision. Biggest gripe was waiting for enough “longhorn capable boxes” on the market to make developing Longhorn (as planned) viable anytime soon. This will now change.

update – finally seeing some WinFS mourning. I can commiserate with you guys. I didn’t have anything planned (so I can wait) …just excited about the possibilities of it.

Private & Public Keys

Just Rambling

I give up – I want to call private keys “locks” because there’s only one and then public keys can be keys because it’s a different entity than a private key and can be duplicated. Isn’t that easier to understand?

So when you are signing, you put your lock on the message and anyone who has the key can unlock it. And they know that it’s ONLY from you because those keys only work on that one lock. [BTW – you are not literally locking the message. It’s more complex than that. The message is not actually safeguarded, but with digital signatures, you have a mechanism of letting the recipient compare the message they received with the message that they were supposed to receive, which is a little digest you created and locked up and sent along with the message. They are not unlocking the message, but this digest. Then they do the same thing to the message that they received that you did in creating the digest. The digests should match. All that we achieve here is determining if someone tampered with the message on the way. If so, you dont want to accept it.*]

When you are encrypting you only want one person to read the message. So you attach a key, that anyone could have, but it only unlocks ONE lock. That is the lock of the designated recipient. So only that person has the lock that they key fits into.

Well, although you can’t stretch the analogy too far, it still works for me.

*see??? I can explain it in my own words now!! BIG GRIN!

A few points on WSE Policy

Tools

WS-Policy is one of the very cool things that you get to leverage with WSE. I kind of love and hate the fact that there’s a lot of “magic” happening here. When you define policies, your application behaves based on those policies. So on the client end if you say “usernametoken needs to be encrypted”, it just happens, you don’t write code to do the encryption. On the receiving end, you can say “I won’t take anything where the usernametoken is not encrypted” and it does the checks for you – no coding involved.

So given that (very light explanation), there is a tool in WSE that helps you build these policies. The output of this tool is a policycache.config file. Since you can edit the config file manually (and do a lot more than the tool will let you do) remember that the tool cannot open a config file back up for editing.

Here’s what’s really important about this, and (I’ve  noted this before) but that was before I had worked with this myself. At TechEd, in response to a question I asked, Don Box said that “non-plumbers” can do security with WSE without having to learn the deeper stuff, but you won’t be able to fix problems. This is very true. I am trying to learn WSE well enough so that I won’t be dangerous. You can get away with using the tools, but you should really know what’s going on in the background, even if you are just doing some simplistic stuff.

Another thing that I think is notable about about Policies is this list of Policy Limitations in the WSE documentation. This is not about the limitations of WS-Policy, but of WSE2’s implementation of it. Information like this is your best bet for not being a dangerous programmer. You don’t have to learn WSE inside and out to use it (thank you WSE2) but know where you might get in trouble, know enough to fix problems or do a little tweaking. I am doing a LOT of work to get myself to at least this point. Hopefully I’ll be able to make some of the info more digestable for non-plumbers (like myself) but my message will still be that you have to know what you are working with. Don’t think you can click a few buttons and get away with it.