On Thursday evening I gave a talk on WS Security Fundamentals in Dayton Ohio. One of the resources I point to is the PAG Guide on Securing Web Services. On the way home the next day, while sitting on the runway in PHL for 2 hours before taking off (uggh), I was reading the latest ASPNET Pro and Michele Leroux Bustamante’s Under the Hood column was all about X509 cert management. It’s great advice and I highly recommend it. It’s the October 2006 issue which does not have all of its articles online.

Many developers who are starting up with programming message level security (eg with WSE or WCF) definitely have a learning curve when it comes to having to grok all of these bits and pieces of security tools that we have to work with – encryption, hashing, signing, certificates. I don’t know how many times I have seen the question “where do I get a certificate” in the wse newsgroups. Heck, I had the same question myself once. And it was a lot of work to wrap my head around all of this crypto stuff.

So…. if you get ASPNET Pro or you can grab a copy at your local user group, check it out.

I’m going to send this to the sysadmin that works with one of my clients. I spent three months trying to explain to him why I needed a server certificate that was not going to be used for SSL. Aargh. Message level security seems to be a bit of an oxymoron to IT Pros.