In the business-to-business scenario, the service and its clients are disparate business entities. They do not share credentials or accounts, and the communication between them is typically closed to the public. There are relatively few clients interacting with the service, and the client can only interact with the service after an elaborate business agreement has been established and other conditions have been met. Instead of Windows accounts or usernames, the clients identify themselves to the service using X509 certificates. These certificates are usually known a priori to the service. The client or service may not necessarily be using WCF, or even Windows. Therefore, if you are writing a service or a client, you cannot assume the use of WCF at the other end. The client calls originate from outside the firewall, and you need to rely on HTTP for transport. Also, multiple intermediaries are possible.
For the business-to-business scenario, you should use the
Internet bindings; namely,
WSHttpBinding. You must use Message security for the transfer security mode, to provide for end-to-end security across all intermediaries. The message will be protected using a service-side certificate, just as with the Internet scenario. However, unlike with the Internet scenario, here the clients provide credentials in the form of a certificate. This is done uniformly across these bindings by selecting ...