WSE

451 of 493 | WSE 2.0 Web service security in a real-world scenario - my previous post, Mark Naughton asked an excellent question about how he'd apply WSE 2.0 security to a particular scenario.  The answer highlights how to determine which SecurityToken to use in your environment, how to encrypt a UsernameToken with an X509 certificates with code and policy as well as handling authorization with X509 certificates and determining how to distinguish tokens received by a service. Martin's scenario An End User uses a Web-based UI Application (ASP.NET 1.1). The Web Application talks to a Web Service (ASMX) for data storage and other processing. The Web Service needs to identify the End User and the "direct" calling application (The Web UI ......

452 of 493 | WSE 2.0 Web service security in a real-world scenario - my previous post, Mark Naughton asked an excellent question about how he`d apply WSE 2.0 security to a particular scenario.  The answer highlights how to determine which SecurityToken to use in your environment, how to encrypt a UsernameToken with an X509 certificates with code and policy as well as handling authorization with X509 certificates and determining how to distinguish tokens received by a service. Martin`s scenario An End User uses a Web-based UI Application (ASP.NET 1.1). The Web Application talks to a Web Service (ASMX) for data storage and other processing. The Web Service needs to identify the End User and the "direct" calling application (The Web UI A......

453 of 493 | WSE 2.0 Web service security in a real-world scenario - my previous post, Mark Naughton asked an excellent question about how he`d apply WSE 2.0 security to a particular scenario.  The answer highlights how to determine which SecurityToken to use in your environment, how to encrypt a UsernameToken with an X509 certificates with code and policy as well as handling authorization with X509 certificates and determining how to distinguish tokens received by a service. Martin`s scenario An End User uses a Web-based UI Application (ASP.NET 1.1). The Web Application talks to a Web Service (ASMX) for data storage and other processing. The Web Service needs to identify the End User and the "direct" calling application (The Web UI A......

454 of 493 | Blog coverage of my CTS302: WSE 2.0 Security session - My TechEd conference-buddy John Bristowe has a blow-by-blow account of my CTS302 Securing Web Services with WSE 2.0 session at Teched.  Michael Earls has some notes and a couple of photos from the repeat session (which was a little fast because it turned out to be 45 minutes rather than an hour).  Aaron Skonnard mentions my first session in his TechEd trip report on his new PluralSight blog: Benjamin Mitchell`s session on Web services security using WSE was excellent. His was the clearest presentation I`ve seen on general security concepts along with concrete code examples. That`s going straight to the pool room.  After covering so many ......

455 of 493 | Blog coverage of my CTS302: WSE 2.0 Security session - My TechEd conference-buddy John Bristowe has a blow-by-blow account of my CTS302 Securing Web Services with WSE 2.0 session at Teched.  Michael Earls has some notes and a couple of photos from the repeat session (which was a little fast because it turned out to be 45 minutes rather than an hour).  Aaron Skonnard mentions my first session in his TechEd trip report on his new PluralSight blog: Benjamin Mitchell`s session on Web services security using WSE was excellent. His was the clearest presentation I`ve seen on general security concepts along with concrete code examples. That`s going straight to the pool room.  After covering so many ......

456 of 493 | Blog coverage of my CTS302: WSE 2.0 Security session - My TechEd conference-buddy John Bristowe has a blow-by-blow account of my CTS302 Securing Web Services with WSE 2.0 session at Teched.  Michael Earls has some notes and a couple of photos from the repeat session (which was a little fast because it turned out to be 45 minutes rather than an hour).  Aaron Skonnard mentions my first session in his TechEd trip report on his new PluralSight blog: Benjamin Mitchell's session on Web services security using WSE was excellent. His was the clearest presentation I've seen on general security concepts along with concrete code examples. That's going straight to the pool room.  After co......

457 of 493 | WSE 2.0 Policy and Config: Powering 'no code' web service security solutions - In the last post I showed how it takes only 1 line of code to ensure that a web service client signs all messages with a UsernameToken by creating a send-side policy with the WSE 2.0 Security Settings Tool.  In this post I show the same feat can be achieved with an X509Token without writing a single line of code.  I also show how this functionality powers WSE's support for automatic secure conversation without having to write any code, something that blew me away the first time I saw it. X509Tokens can be located through Policy and Config In the last post I covered how the PolicyEnforcementOutputFilter checks the send-side policy when processing output messa......

458 of 493 | WSE 2.0 Policy and Config: Powering `no code` web service security solutions - In the last post I showed how it takes only 1 line of code to ensure that a web service client signs all messages with a UsernameToken by creating a send-side policy with the WSE 2.0 Security Settings Tool.  In this post I show the same feat can be achieved with an X509Token without writing a single line of code.  I also show how this functionality powers WSE`s support for automatic secure conversation without having to write any code, something that blew me away the first time I saw it. X509Tokens can be located through Policy and Config In the last post I covered how the PolicyEnforcementOutputFilter checks the send-side policy when processing outpu......

459 of 493 | WSE 2.0 generated policy and derived keys - While playing with the WSE Security Settings Wizard I discovered that the generated policy requires a DerivedKeyToken to be used to sign the messages rather than the original security tokens.  This is a good thing, but isn`t obvious from the wizard screens.  I thought I`d provide some background on what derived keys are, why they are useful and how to ensure your WSE services use them through code or policy.  Derived Keys: what are they and why are they useful Using a derived key is a good thing as it means a different key is used to sign and/or encrypt each message.  Changing the key each time makes it more difficult to perform a ciphertext-only att......

460 of 493 | WSE 2.0 generated policy and derived keys - While playing with the WSE Security Settings Wizard I discovered that the generated policy requires a DerivedKeyToken to be used to sign the messages rather than the original security tokens.  This is a good thing, but isn't obvious from the wizard screens.  I thought I'd provide some background on what derived keys are, why they are useful and how to ensure your WSE services use them through code or policy.  Derived Keys: what are they and why are they useful? Using a derived key is a good thing as it means a different key is used to sign and/or encrypt each message.  Changing the key each time makes it more difficult to perform a ciphertext-only ......

461 of 493 | CTS302: WSE 2.0 and Security repeating tomorrow - As Rebecca Dias notes, I'm repeating my CTS302: Security Web Services with WSE 2.0 talk tomorrow at 12:15 in room 33ABC.   Yesterday's talk was so crowded that firemarshals shut the door (and many attendees had to touch elbows with the person next to them).  Even Keith Ballinger, the WSE Program Manager, was left out in the corridor! If you were at the talk yesterday I'd be grateful if you complete the session evaluation form on the conference CommNet.  These evaluations are extremely valuable and all of the feedback is noted. I'd like to extend the 'being at the conference through blogs' experience and invite any readers to leave ......

462 of 493 | CTS302: WSE 2.0 and Security repeating tomorrow - As Rebecca Dias notes, I`m repeating my CTS302: Security Web Services with WSE 2.0 talk tomorrow at 12:15 in room 33ABC.   Yesterday`s talk was so crowded that firemarshals shut the door (and many attendees had to touch elbows with the person next to them).  Even Keith Ballinger, the WSE Program Manager, was left out in the corridor! If you were at the talk yesterday I`d be grateful if you complete the session evaluation form on the conference CommNet.  These evaluations are extremely valuable and all of the feedback is noted. I`d like to extend the `being at the conference through blogs` experience and invite any readers to leave questions on this p......

463 of 493 | soap.smtp:// - I finished up my sample implementation of an SMTP transport for Wse2. Thanks to the power of WSE, you can now easily call Web Services via email :) The code is attached to this message. Instead of writing up a full article on the implementation, I peppered the code extremely liberally with comments. As a result, the explanation of the code is interleaved with the code itself. I’ll probably write more in depth about specific parts of the implementation, but hopefully the comments in the code should suffice for now. Thanks to Pawel Lesnikowski for the excellent POP3 library. You can find that implementatio......

464 of 493 | soap.smtp:// - I finished up my sample implementation of an SMTP transport for Wse2. Thanks to the power of WSE, you can now easily call Web Services via email :) The code is attached to this message. Instead of writing up a full article on the implementation, I peppered the code extremely liberally with comments. As a result, the explanation of the code is interleaved with the code itself. I’ll probably write more in depth about specific parts of the implementation, but hopefully the comments in the code should suffice for now. Thanks to Pawel Lesnikowski for the excellent POP3 library. You can find that implementatio......

465 of 493 | Questions from Don and Doug's Service Orientation presentation - Don Box and Doug Purdy did a 'keynote' for the Connected Systems Track.  They started out by asking what questions the audience wanted to see.  A great set of questions were proposed and the answers contained some of the most valuable content in the session.  Here are my notes on their answers, and some they didn't get time to do. How does WSE 2.0 fit in with the Indigo direction? It lets you use the protocols we have today.  WSE takes your ASMX investment and keeps you in the game as we do this protocol work.  If you don't track the protocols it may not be so important.  Indigo will be the primary technology for using the WS-*&nbs......

466 of 493 | Questions from Don and Doug`s Service Orientation presentation - Don Box and Doug Purdy did a `keynote` for the Connected Systems Track.  They started out by asking what questions the audience wanted to see.  A great set of questions were proposed and the answers contained some of the most valuable content in the session.  Here are my notes on their answers, and some they didn`t get time to do. How does WSE 2.0 fit in with the Indigo direction It lets you use the protocols we have today.  WSE takes your ASMX investment and keeps you in the game as we do this protocol work.  If you don`t track the protocols it may not be so important.  Indigo will be the primary technology for using the WS-* specifications in future.  ......

467 of 493 | Tracing with WSE 2.0 - When developing with WSE it is often useful to be able to see what is going out on the wire.  Changes in the WSE 2.0 release mean that is no longer possible to use tracing tools such as tcpTrace and MSSoapT.  Christop Schittko has a good post on the background to this problem and shows how to use the inbuilt-WSE trace capabilities to get around it.  There`s also another solution, which is to use Mindreef SOAPScope`s WebProxy, and as I was writing this I noticed that Mike Taulty has also posted his WSE 2.0 trace tool, which has become my new default favourite. Background The previous approach to tracing in WSE was to listen on a one port with a tracing ......

468 of 493 | Tracing with WSE 2.0 - When developing with WSE it is often useful to be able to see what is going out on the wire.  Changes in the WSE 2.0 release mean that is no longer possible to use tracing tools such as tcpTrace and MSSoapT.  Christop Schittko has a good post on the background to this problem and shows how to use the inbuilt-WSE trace capabilities to get around it.  There's also another solution, which is to use Mindreef SOAPScope's WebProxy, and as I was writing this I noticed that Mike Taulty has also posted his WSE 2.0 trace tool, which has become my new default favourite. Background The previous approach to tracing in WSE was to listen on a one port with a tracing t......

469 of 493 | Transports, channels, and the office mailroom - I work in a fairly large office building with a central mailroom. The existence of this mailroom greatly simplifies life for both me and the postal service employee who delivers mail to my building. I have a centralized place to pick up my mail, and the mail carrier doesn’t have to hunt around the entire building looking for every individual office. Instead, there’s one guy at my company whose job is to take the bundle of incoming mail and distribute it to the mailboxes of each person in the building. In this way, large numbers of messages can be delivered to their appropriate recipients quickly, with minimal work on everyone’s pa......

470 of 493 | Transports, channels, and the office mailroom - I work in a fairly large office building with a central mailroom. The existence of this mailroom greatly simplifies life for both me and the postal service employee who delivers mail to my building. I have a centralized place to pick up my mail, and the mail carrier doesn’t have to hunt around the entire building looking for every individual office. Instead, there’s one guy at my company whose job is to take the bundle of incoming mail and distribute it to the mailboxes of each person in the building. In this way, large numbers of messages can be delivered to their appropriate recipients quickly, with minimal work on everyone’s pa......

471 of 493 | WSE 2.0 Messaging - WSE2 is finally out, so I’m finally out from underneath an NDA. Phew, I feel like I can breathe again… Most of my work with WSE2 thus far has been dealing with the core messaging model and transport system. I’ve learned a lot from working with it, and I’ll be blogging about some of the interesting things I’ve noticed. However, before I dive into the gory details, it’s best to describe an overview of the WSE2 messaging architecture. WSE 2.0 offers three different layers of abstraction for dealing with messaging. Which layer you choose to program against depends largely on who you are and what you’re trying to a......

472 of 493 | WSE 2.0 Messaging - WSE2 is finally out, so I’m finally out from underneath an NDA. Phew, I feel like I can breathe again… Most of my work with WSE2 thus far has been dealing with the core messaging model and transport system. I’ve learned a lot from working with it, and I’ll be blogging about some of the interesting things I’ve noticed. However, before I dive into the gory details, it’s best to describe an overview of the WSE2 messaging architecture. WSE 2.0 offers three different layers of abstraction for dealing with messaging. Which layer you choose to program against depends largely on who you are and what you’re trying to a......

473 of 493 | Steve Ballmer Keynote - I'm with all of the 'Blue Shirts', speakers and the Microsoft staff, in the keynote overflow room, sharing the experience of watching Steve Ballmer on a video screen.  Here are some key points: He's looking trimmer. A gasp of 'Atkins!' went around the room. Key messages - do more with less. The next 10 years are going to be even greater than the last. Only Pfizer spends more than Microsoft on R&D. Remember 10 years ago TCP/IP was a separate business to the OS. Integration is the key. How many data access layers does Microsoft need. How can we narrow down the skillset required to know how to use the products. Integrate to reduce the overhead re......

474 of 493 | WSE 2.0 RTM Arrives - After 10 months of gestation (since Tech Preview last July), it is with great pleasure that we announce the arrival of WSE 2.0 RTM.  WSE weighed 7.2MB upon arrival.  Pictures can be downloaded here.  Mommy and baby are doing fine (recovering slowly from a lengthy delivery :-)).  SteveB made the official announcement during his keynote at Tech Ed this morning. WSE 2.0 adds more sophisticated Web Services security features, including support for secure conversations, security token services, delegated trust, integration with Kerberos and X509, and policy-driven declarative security.  This release also includes support for a S......

475 of 493 | Presenting at Web Services Interoperability Day - Before TechEd San Diego I`m going to be presenting a SAML token issuer sample with Michele Leroux Bustamante as part of the Web Service Interoperability Day this Saturday.  The event is a chance to actually see interoperability happening, rather than just watching PowerPoint slides.  We`ll be focussing on showing real code demonstrate WS-Security (now an OASIS standard that will be implemented with the release of WSE 2.0) and WS-Policy. Getting the demos ready has been an international collaboration.  John Bristowe has been waving the WSE/Policy `Pom Poms`.  Chris Haddad is doing the Java implementation with OpenSAML. After the demonstration there`s ......

476 of 493 | Solving "The underlying connection was closed" when using WSE - Some time ago I`ve posted a code snippet to solve following exception which in some cases can happen when you`re calling a web service: System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send.at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)at ... It seems that this exception also pops up when using Web Services Enhancements (WSE), but the solution I provided doesn`t work in that case. You can`t get directly to the underly......

477 of 493 | Solving "The underlying connection was closed" when using WSE - Some time ago I've posted a code snippet to solve following exception which in some cases can happen when you're calling a web service: System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send.at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)at ... It seems that this exception also pops up when using Web Services Enhancements (WSE), but the solution I provided doesn't work in that case. You can't get directly to the under......

478 of 493 | WSE: Compression Filters - Matthew Lynn asked for the WSE compression filter code, and here it is. My colleague Martin Valland and I wrote this code based on an idea we had for a compression specification for web services. This implementation as well as the SOAP extensions it relies upon is proprietary. As far as I know there is currently no publicly available specification that addresses this particular subject. The code relies upon #ziplib for the compression algorithms. This is a prototype implementation and it comes without warranty of any kind. ...

479 of 493 | WSE: Compression, Security and Performance - We have been doing a lot of WSE testing at work while developing our new integration infrastructure. As a part of this project we have built a filter for message level compression in WSE. One of the interesting things we found out while performance testing the solution was the speed increase resulting from message compression. The system we are building transfers sensitive data across the internet and we are using X509 certificates for integrity and confidentiality. Naturally, we had to apply the compression before the security mechanisms were invoked, as compressing encrypted data isn’t efficient at all. However compressing xml data is very efficient; often re......

480 of 493 | Indigo is an API, BizTalk is a set of tools - When I was clarifying the Microsoft Messaging Message I said I`d watch the PDC DAT 420 presentation on BizTalk and Indigo.  As my PDC DVDs arrived this week I didn`t have to download the presentation I finally got around to watching it.  Here are the key points I took from the presentation: From a BizTalk perspective, Indigo is the vehicle that will provide secure, reliable transacted services (over more than just http).> Indigo is an API, BizTalk is a set of tools.  Indigo will natively integrated into the next version of BizTalk after BizTalk 2004.  The demos showed a prototype Indigo adapter that worked with BizTalk 2004.> ......

481 of 493 | Indigo is an API, BizTalk is a set of tools - When I was clarifying the Microsoft Messaging Message I said I`d watch the PDC DAT 420 presentation on BizTalk and Indigo.  As my PDC DVDs arrived this week I didn`t have to download the presentation I finally got around to watching it.  Here are the key points I took from the presentation: From a BizTalk perspective, Indigo is the vehicle that will provide secure, reliable transacted services (over more than just http).> Indigo is an API, BizTalk is a set of tools.  Indigo will natively integrated into the next version of BizTalk after BizTalk 2004.  The demos showed a prototype Indigo adapter that worked with BizTalk 2004.> ......

482 of 493 | Solving "The underlying connection was closed: An unexpected error occurred on a send." (Webservices) - UPDATE: For solution when using WSE, see here! Sometimes when you invoke a webservice the call fails with the following exception: System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send.at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)at ... In some cases the first call to the webservice works just fine, but if in the following few minutes no new call to the webservice is made, the next call would throw the except......

483 of 493 | Solving "The underlying connection was closed: An unexpected error occurred on a send." (Webservices) - UPDATE: For solution when using WSE, see here! Sometimes when you invoke a webservice the call fails with the following exception: System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send.at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)at ... In some cases the first call to the webservice works just fine, but if in the following few minutes no new call to the webservice is made, the next call would throw the except......

484 of 493 | Don Box ServerSide.NET interview notes - In preparation for the London Bloggers Dinner with Don Box and Chris Anderson on Monday (see the report of this dinner, and what went on at the pub afterwards), I thought I’d get up to speed and make some notes of the key points made in Don’s interview on the ServerSide.NET.  To my mind this is the best interview I`ve seen or read about Indigo.> I`m posting these notes mainly so that I can have them handy in SharpReader when I`m offline and in case others might find them useful.  You can see the interview and download the full transcript on the ServerSide.NET site.>> What is Indigo  >> A connective tissue between programs.  It makes it sim......

485 of 493 | John Bristowe and the Policy Movement - John Bristowe, recent MVP, fellow YAWP`er and lover of Australian Red Wine posts about his conversion of another person to the love of WS-Policy.  I`ve been a long-term (well for around six months, which qualifies as long-term in WS-* land) lover of Policy. Policy just keeps getting better in Indigo with metadata exchange in Indigo, but the movement needs to start now.  I think we need a slogan or song.  `People for Policy` or something like that. John also cheekily suggests that I may have a `showdown` with Klaus Aschenbrenner after his article on WSE 2.0 security.  I`m more that happy to share the SoapContext with anyone else who`s into WSE ......

486 of 493 | Work, WSE and Indigo - I’ve been quiet lately, mostly because I have been very busy with work. These last couple of months has been intense and filled with SOAP, web services and the SOA paradigm. After digging into Indigo and preparing for my overview presentation, I went strait on to designing and building a new version of our integration infrastructure. The solution relies heavily upon on WSE 2.0 and this has provided me with some interesting challenges. Naturally, it also borrows some concepts and ideas from Indigo. Expect more details on my WSE 2.0 experience as I get both them and my mind organized. ...

487 of 493 | WSE and the Next Generation of Security - I have spent a lot time with WSE 2.0 in the last few weeks, and as both my code and my mindset moves from testing and research to building production quality systems, I am beginning to think about how hard it is to get the security choices right with WSE 2.0. From a practical point of view, the move from plain ASP.NET Web Services to WSE and WS-Security is about moving from the SSL checkbox in IIS to a fairly imperative and challenging programming model in WSE 2.0. While the SSL-checkbox is inflexible and does not provide you with a lot of room for configuration, it is reasonably simple to get right. The WSE toolkit on the other hand provides you with a lot of ......

488 of 493 | Clarifying the Indigo message - A month after the Indigo `Kimono opening` at the PDC there`s still a lack of clarity about what Indigo is, how it relates to other messaging technologies and what`s the best way to start developing applications today.  While a lot of this was covered at the PDC my perception is that some of the message hasn`t been ack`d successfully from the audience.  [Update: See my more recent post `More on the Microsoft Messaging message` for some answers to these questions] The Longhorn DevelopMentor mailing list had an excellent exchange yesterday on Indigo, which has lead me to highlight some areas where I`d like a clearer message: What`s the relationship ......

489 of 493 | Reading .NET User Group YAWP -  As Tim Sneath spotted, I did another YAWP (Yet Another WSE Presentation) to the .NET Exchange User Group at Microsoft UK campus in Reading last night.  I`m doing a number of presentations around the UK in the next month (though I think John Bristowe`s record of 20 YAWPs a year is safe), details on my presentations page.  Here are my slides and some of my demos.  Web services are being adopted in the wild There certainly is a lot of material to cover in web services from the specifications to the implementation, so we only briefly touched on Indigo.  There were 30 or so developers there. Starting with the mandatory `polling` questions I was surprised that around 60% of ......

490 of 493 | WSV304: Indigo security tokens stop the PasswordProvider madness - Steve Millet is talking about the improvements in the Indigo model for security tokens.  The good news is that the madness has stopped: when a UsernameToken is validated you only need to return a bool rather than the password.  WSE 1.0 and 2.0 require the password to be returned allowing WSE to work out whether they match.   This was uncomfortable for several reasons, such as the fact the password might have been hashed, or just the fact that sharing the password back with the framework feels like a `boundary violation`.  I`m glad that we`re seeing the end of this bizarre API practice. Other interesting tidbits were that SAML tokens will be available in Indigo.......

491 of 493 | WSV404: Omri and the Indigo protocol stack - It`s 8:30am and there`s a room full of geeks wanting to get deep down and dirty into the Web Service protocols.  Omri is the Product Unit Manager for the Advanced Web Services group, so he`s the man responsible for the WSE team.  He demonstrated the secure, reliable and transacted demo that Bill Gates gave with IBM on 17 September.  The slides for this session are available. Positioning Indigo`s Protocols The wire protocols that Indigo uses are key to interoperability story.  Omri is positioning Indigo as the Internet`s L7 protocol, comparing Web Services as the top of an Internet stack above XML on top of HTTP on top of TCP on top of IP and onwards.  ......

492 of 493 | I need to clarify... - Reading Micheal M`s comment, I realized that I was not clear enough in my last post.When I said I didn`t want to think about security, I meant as a plumber. Part of my responsibility as the designer or developer of an application is, as Micheal M, says, to think about everything as a possible security hole. He is absolutely right and I did not intend to imply otherwise. But I need help. I can`t write my own cryptography engine. I don`t have the time, and, more importantly, I won`t get it right. Similarly, I don`t want to have to write my own SSL hand-shake to establish a secure channel with an HTTPS endpoint. Luckly, ......

493 of 493 | "But I`m a plumber..." - I`ve spent a lot of time with WS-Security lately, partly because of the bruhaha over its use in MsComService, and partly because I`m digging more deeply into WSE 2.0. Like most of my friends (and a penguin Gudge knows), I`m a plumber. I like spending time thinking about how to program with XML messages (feeding my reputed addition). But I realized last weekend that there are limits, even for me. I realized that I want someone else to take care of security for me... It`s not that I`m not interested - I think it`s a fascinating topic. But I have too many other things going on to lose myself in it, and I don`t trust m......