A better approach would be to use the WSE sdk in the .NET release, which contains a limited implementation of WS-Security. The WSE sdk has not yet been released for production use. Therefore, if you don't plan on an immediate release of your product, you would be better served to use WSE as this is the future direction of Web services security. While the WSE doesn't yet support the Compact Framework, it does support the building blocks for using WS-Security. When you use WS-Security the client and server do not have to support the same platform or language and it supports multi-hop scenarios. You can download and find out about WSE at http://www.microsoft.com/downloads/details.aspx?familyid=21fb9b9a-c5f6-4c95-87b7-fc7ab49b3edd&displaylang=en. I would recommend learning how to use the WSE and make sure your product will be able to support WS-Security in the future.
In summary: For the near term SSL is a good solution as long as you play within the limitations of SSL. I would recommend using SSL mutual authentication. You will also need some kind of authorization. Depending on your scenario, you could use a simple ACL list to permit or deny the authorized user access. Do not neglect this second step, as authentication is not sufficient to secure your resources. Prepare your application to move to WS-Security in the not too distant future.
Dig Deeper on Topics Archive
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.