Greg Reinacker’s Weblog

MSDN Article: HTTP Security and ASP.NET Web Services

There’s a new article up over on the MSDN site that discusses various aspects of HTTP security for ASP.NET based web services. [Drew's Blog]

Thanks for the pointer, Drew; a good introductory article, about which I have a couple of quick comments.  First, the author only discusses authenticating with Basic/Digest/Certificates against the Active Directory store; probably because this is all IIS supports out of the box.  This isn’t a fault of the article; but people should be aware there are other options.  There are numerous reasons you might want your credential store somewhere else (existing database, etc.); to do this, you have to write the code yourself (or use my sample code).

Second, there is a sentence in the article I just can’t let go:

Digest authentication encrypts the caller’s credentials using a shared secret called a nonce.

Hmm…Digest authentication does not encrypt the caller’s credentials; it hashes them.  That’s why the credentials (or at least a hashed version) must be available on the server for authentication to occur (as opposed to something like NTLM, where the password itself is not required on the server).  And second, the nonce is not a shared secret; it’s passed clear-text – not much of a secret!

I was out racing this weekend, and won my first national race…

Congratulations Greg! I’m curious — how did you get into that? Have you been a car/racing fan for a while? [Wrinkled Paper]

Thanks Patrick!  I’ve always been into cars, and since I could drive, I always wanted to know what it felt like to drive at the limit of a car’s capabilities (I was, ahem, familiar with both sides of that limit, but not the limit itself!).  With that in mind, I finally (2 years ago) talked a friend into going with me to Bob Bondurant’s racing school, where we learned about high-performance driving and road racing techniques.  After that I was hooked…on my instructor’s recommendation, I called the LaRue’s (of LaRue Motorsports) and rented a race car for a day, just to see if I liked it.  Two days later I entered my first SCCA race in the rented car; after that weekend I bought a car, and have been racing ever since.

It’s been an amazing experience; and it’s certainly had its ups and downs.  It hits the extremes of exciting, frustrating, rewarding, dangerous, and expensive.  It makes you explore the limits of not only the car, but yourself.  I never really appreciated the skills and conditioning of race drivers before I tried it myself.  If you’re a car guy/girl, I highly recommend trying it (a school would be the best way, or just renting a car for an open track session); it’s something you’ll never forget.  :-)

I was out racing this weekend, and won my first national race.  And not just one…I won TWO of them!  Talk about the best racing weekend ever.  I had pretty much ruled it out, but now I’m thinking again about going to the national championship (the Valvoline Runoffs).