And then I read your email a second time and notice you said Silverlight
PHONE app. Perhaps you could use something similar... but as it's not
hosted on a web server, but instead its on the phone that might not work.
Perhaps a call to a server with a login where a key is given out for that
session? Or something that is harder to fake, like a phone ID (can you set
up a list of authorised devices on server or is it a public facing app
where anyone could be connecting?)

On Tue, Nov 25, 2014 at 8:06 PM, Greg Keogh <g...@mira.net> wrote:

> Folks, I have a Silverlight Phone app that talks to a WCF service. The
> spec says that phones must *prove* to the service that they are
> legitimate and trusted. I figure therefore that I will stuff something in
> the message headers of each call that can't be forged to prove a phone has
> legitimate client software ... but what?
>
> The spec is vague and does not specify any kind of "login" method or
> handshake to establish trust.
>
> To confuse matters, I've been given a pair of X509 certificates (as cer
> and pfx files) without any hint about what to do with them. So I've been
> reading about X509's for hours, but I can't figure out if they're of any
> help in this situation or not. All the sample code I've found using
> certificates is for the full CLR and not for the Silverlight CLR where many
> classes are smaller or missing. I can't figure out how to use X509s for
> solving my problem (if they are of any use).
>
> Any suggestions from crypto protocol boffins out there?
>
> *Greg K*
>

Reply via email to