WS-Policy is one of the very cool things that you get to leverage with WSE. I kind of love and hate the fact that there’s a lot of “magic” happening here. When you define policies, your application behaves based on those policies. So on the client end if you say “usernametoken needs to be encrypted”, it just happens, you don’t write code to do the encryption. On the receiving end, you can say “I won’t take anything where the usernametoken is not encrypted” and it does the checks for you – no coding involved.

So given that (very light explanation), there is a tool in WSE that helps you build these policies. The output of this tool is a policycache.config file. Since you can edit the config file manually (and do a lot more than the tool will let you do) remember that the tool cannot open a config file back up for editing.

Here’s what’s really important about this, and (I’ve  noted this before) but that was before I had worked with this myself. At TechEd, in response to a question I asked, Don Box said that “non-plumbers” can do security with WSE without having to learn the deeper stuff, but you won’t be able to fix problems. This is very true. I am trying to learn WSE well enough so that I won’t be dangerous. You can get away with using the tools, but you should really know what’s going on in the background, even if you are just doing some simplistic stuff.

Another thing that I think is notable about about Policies is this list of Policy Limitations in the WSE documentation. This is not about the limitations of WS-Policy, but of WSE2’s implementation of it. Information like this is your best bet for not being a dangerous programmer. You don’t have to learn WSE inside and out to use it (thank you WSE2) but know where you might get in trouble, know enough to fix problems or do a little tweaking. I am doing a LOT of work to get myself to at least this point. Hopefully I’ll be able to make some of the info more digestable for non-plumbers (like myself) but my message will still be that you have to know what you are working with. Don’t think you can click a few buttons and get away with it.

Aha! I had seen many samples of getting a digital certificate out of the client machines certificate store, but all of the examples were sending in some pre-defined private key.

Let me back up. When you get a digital certificate and install it on your machine, it has a private key associated with it. So when you are using WSE2’s FindCertificateByKeyIdentifier method, you pass in that key and it gives you back the certificate so you can sign whatever it is you want to sign.

In all of the examples I was looking at, the key was “predetermined“. For example in one article it passed in a variable and said “by the way, this private key is stored in the app.config”, or “previously stored private key” pr in the example of the hands on labs, you just manually pasted the key into your code after copying it from the WSE Certificate Tool (a UI that comes with WSE so you can easily work with your X509 certs). But I could never figure out how the key was being retrieved dynamically.

What was bugging me was this: if you have a client application and an end user installs it on their machine, what is the end-user experience when dealing with the key? How is that pre-determined key being discovered?

Now I see that basically you need to get the user to tell you which of their digital signatures they want to use when using this client to access your web service. D’uh, that’s not so bad. So either you have some setup routine where the user can choose the signature and then store the key in a settings file or just have them choose the key dynamically during the application execution. There are of course different scenarios where you would want one method over the other. There is a Quickstart sample (AsymmetricEncryptionCode) that demonstrates how to popup a dialog box and have the user choose from the correct signatures included with the WSE2 install.

There are other methods for getting a digital signature besides by the private key. Again, based on what you are trying to accomplish, you would choose what method to use. But this was the most common scenario in the samples I have looked at so far.

(I’m very open to corrections if I have stated anything incorrectly here. And James, just because I’m a little thick, doesn’t mean this stuff is *so* hard that we should all switch to smalltalk :-))

Once again, I’m getting it from James (though he and I agree to respectfully disagree with each other) for *considering* the DotFuscator Community Edition that is bundled in with Visual Studio .NET.

Here are his posts:

http://www.artima.com/forums/flat.jsp?forum=155&thread=67231

http://www.cincomsmalltalk.com/blog/blogView?showComments=true&entry=3270899203

James is a passionate guy. I’m just a curious girl.

I explicitly chose to put the google toolbar in my i.e.. I *never* installed a Yahoo toolbar and I was never asked. It just appeared out of nowhere. That ticks me off – quite a lot. What’s going on here? Is Yahoo being run by the we-are-going-to-take-over-your-computer Real Networks, now? I wonder if it was because I went to a website that uses MacroMedia Shockwave and I said yes to installing that but changed my mind and aborted.

Well, here’s another pretty picture for you, Yahoo..