And then I read your email a second time and notice you said Silverlight PHONE app. Perhaps you could use something similar... but as it's not hosted on a web server, but instead its on the phone that might not work. Perhaps a call to a server with a login where a key is given out for that session? Or something that is harder to fake, like a phone ID (can you set up a list of authorised devices on server or is it a public facing app where anyone could be connecting?)
On Tue, Nov 25, 2014 at 8:06 PM, Greg Keogh <g...@mira.net> wrote: > Folks, I have a Silverlight Phone app that talks to a WCF service. The > spec says that phones must *prove* to the service that they are > legitimate and trusted. I figure therefore that I will stuff something in > the message headers of each call that can't be forged to prove a phone has > legitimate client software ... but what? > > The spec is vague and does not specify any kind of "login" method or > handshake to establish trust. > > To confuse matters, I've been given a pair of X509 certificates (as cer > and pfx files) without any hint about what to do with them. So I've been > reading about X509's for hours, but I can't figure out if they're of any > help in this situation or not. All the sample code I've found using > certificates is for the full CLR and not for the Silverlight CLR where many > classes are smaller or missing. I can't figure out how to use X509s for > solving my problem (if they are of any use). > > Any suggestions from crypto protocol boffins out there? > > *Greg K* >