I'm planning to build a set of web services which are going to use geneva-based custom STS to authenticate users. Both STS and relying services will belong to the same party, so the whole goal of going to federated security is providing Single Sign-On point and retrieving all the authorization information only once. Both STS and relying services will be accessed via HTTPS.
So my questions are:
Seems perfectly ok to use the same certificate for both signing and encrypting security token. Am I right?
Is it possible to use the same certificate for both providing SSL, encrypting and signing the token? According to http://weblogs.asp.net/cibrax/archive/2006/11/17/x509-certificates-for-wse-and-wcf-part-2.aspx, certificates required for WCF seem to have broader set of attributes then that of SSL certificates and hence may be used for all these purposes. Is that true?