Is Transport Level Security Necessary When Using Message Level Security in WCF?

Question

I'm still in the process of trying to better understand WCF security.

One question that I can't seem to get a grip on is… if message level security is used, then the entire message can be signed/encrypted. If this is the case, would it ever make sense to use both message level security AND transport level security? In other words, if the message itself is secure, why would I need to use something like HTTPS for transport security?

Thanks.

Answer 1

HTTPS (SSL, TLS) offer point-to-point secuirty. I already explained what does it mean in one of my previous answers.

Term Security in WCF has 4 components:

• Authentication - credentials passed to server to identify client
• Authorization - selectively define which operations can be executed by authenticated client
• Confidentality - encryption - only expected receiver is able to decrypt the message and read confidental data
• Integrity - signing - expected receiver can validate that message is from declared client and it was not modified during transmission

Authorization is always part of WCF application itself. Authentication is part of WCF application or hosting system - transport protocol can be only used to transport credentials, not to validate them. Confidentality and Integrity is responsibility of transport protocol (transport security) or WCF application (message security). So if you are using encryption and signing on the message level you don't need transport security.