I am fairly new to web development and have never used Digital Certificates before. I assume using a digital certificate on a silverlight web page is the same as using one on any other web page, but i thought i should check. There are a few example of digitally signing the .xap file on the internet, would it then be a case of simply buying the certificate (from verisign or somewhere similar) and distributing it to customers?
A:
It sounds like you're confusing code signing with serving content over HTTPS.
Signing your code lets people know that it really was you that wrote it, and can trust that it hasn't been tampered with by anyone else.
HTTPS allows a web client know that communications between it and the web server are secure from snooping (exception being when the client is configured to go via a proxy server, which could be malicious).
You can use both independently, or together. For any "shrink-wrap" style software release, I would recommend signing your code. If you handle any sensitive data on your website, such as credit card details, then you should handle this data only over HTTPS (I believe most credit card companies require this in their terms and conditions anyway)
Rowland Shaw
2010-09-04 11:09:14
Hi @Rowland, I do mean Digital Certificates. The sort that are installed on a clients machine and allow them to automatically sign in when entering the site. I think I was misleading in my question, apologise.
Ben
2010-09-06 08:12:43
@Ben Have you an example of something doing this style of authentication?
Rowland Shaw
2010-09-06 08:56:33
In any case, if you're streamlining authentication (from a native application), you should be getting the public keys of your customers (so that if one stops paying their bill, they can be cut off independently of all the others)
Rowland Shaw
2010-09-06 08:58:06
Maybe i'm misinterpreting what they are doing here - http://www.simple-talk.com/dotnet/.net-framework/beginning-with-digital-signatures-in-.net-framework/, but i though that this is issuing the customer with the certificate (a public key) that authenticates them when they enter the site?
Ben
2010-09-06 09:14:34
@Ben I thought you were meaning for the browser to do this ahead of your Silverlight app being deployed to the client. If the data is sensitive, it may be a lot simpler to just transmit over HTTPS. By signing the data, all you'll ascertain is that the data came from who you thought, and hasn't been tampered with on the way - it doesn't gaurantee that it hasn't been snooped on.
Rowland Shaw
2010-09-06 11:50:07
Oh, and please don't send the public key alongside the signature, as anyone with malicious intent could alter the payload and resign with their own key, which they'd pass on with their own signature...
Rowland Shaw
2010-09-06 11:51:18