I am currently trying to undertand how best to implement signing/verification in a .NET 4.0 C# environment.
My requirment is to be able to sign data within my system as one 'user', at some point later that data needs to be verified by a consumer.
To accomplish this I am trying to use Certificates, however this is where I begin to struggle. One aspect of my confusion is that I have been advised I can use DPAPI for certificate management, however from reading DPAPI documentation it appears to only offer a way of protecting/unprotecting arbirary data for the local host/user. Although this data may happen to be a private key, it does not specifically deal with certificates.
A first question is, doe DPAPI in any way link to the local certificate store, or other certificate management solution?
The hope was that the code would not have to locate certificates, instead simply pass the data down to a helpful API where it is either signed (on the data source) or verified (on the consumer).
Any comments are appreciated.
DPAPI is used to encrypt data that is intended to be decrypted only under the same Windows user account. It uses a symmetric encryption algorithm, so it cannot offer the signing functionality that you require.
If you wish to offer signing capabilities, then use of an signing algorithm based on a public-private key pair (with the public key distributed in a certificate) would usually be the appropriate approach. The .NET BCL does offer functionality for the signing and verification parts (including use of keys from the local certificate store), but it won't help you with the key distribution side of things.