X.509 security can be implemented at different layers of network or application infrastructure and each implementation had its own advantages and disadvantages:

Secure Sockets Layer (SSL)

SSL is a secure handshake protocol that uses X.509 certificates at the transport layer. It enables two parties to establish a session to communicate securely by providing confidentiality, data integrity and data origin authentication. Some of the advantages of using SSL are:

While SSL has some strong advantages, it does have a few shortfalls:

• SSL operates point-to-point, which means that messages cannot be persisted in a secure state and SSL-encrypted SOAP messages cannot be processed by intermediaries without first being encrypted.
• If used in conjunction with WSE 2.0 message layer security mechanisms to provide a complete set of security features, it would be difficult to determine from the message layer that SSL is providing its part of the required security features and vice versa.

WS-Security X.509 Binary Security Token.

At the message layer, X.509 certificates can be used as binary security tokens as per the WS-Security specification to sign and encrypt messages to provide data confidentiality and data origin authentication.

Some primary advantages of using X.509 at the message layer with binary security tokens are:

• Message layer X.509 security is flexible to provide either point-to-point or end-to-end security, allowing messages to be persisted in a secure state for short periods of time for queue-based processing or for longer periods of time in an archived state.
• Message layer X.509 provides a high degree of interoperability, providing standards based on the messages as they are sent over the wire rather than focusing on implementation for a particular platform

Message layer also carries with it certain drawbacks:

• Processing of message layer X.509 security tends to have a greater impact on system performance than X.509 security implemented closer to the hardware.
• While message layer X.509 security provides a great deal of flexibility, it tends to be more complex to implement than X.509 security at other layers, requiring more knowledge of the underlying protocols, security policy and programming against a Web services security API.

IPSec

IPSec provides a secure tunnel between two machines hosting applications that access resources or communicate with other applications. X.509 can be used in IPSec to authenticate hosts and negotiate a secure session between them. IPSec has some advantages that make it a viable solution for X.509 security:

• Performance. IPSec benefits from performance since it is close to the hardware layer, as it operates in the protocol stack between the data link and network layers
• Ease of configuration – IPSec is easy to configure and implement on Windows Server 2003

Much like other X.509 security implementations at other layers, X.509 IPSec has a disadvantage that must be considered:

• No granularity of security subjects. IPSec policies are implemented based on a host machine rather than a user or an application. X.509 IPSec is effective for providing secure communications between two hosts but not for authenticating user or application subjects to make authorization decisions.

Microsoft Confidential. © 2005 Microsoft Corporation. All rights reserved. By using or providing feedback on these materials, you agree to the attached license agreement.