I have a pretty good understanding of X509 cryptography etc, from my career in the smart card industry. So I know that the card scheme (e.g. Visa, MasterCard) is the highest level of trust - they sign issuer keys for subsequent diversification and use on ranges of smart cards, and the issuer then signs individual card keys - thus the chain of trust is present.
My question actually relates to something a little different though. I have developed an application, which I want to place under some licensing control. I have developed my own database to hold user and license information - and all keys distributed will actually be encrypted using a 192-bit 3DES key - decipherable only by the server.
I have a WCF client/server set up - and now I am nearing the point of needing to sort out my response to the client application - which will contain the authenticated license details, signed by my private key for authenticity. So I need to have the public key available to that client application.
I can get an SSL certificate for the website to which the client app connects. My question is therefore whether my app would be able to make use of that public key - or whether I should create a new key pair, signed by my website SSL certificate, effectively giving me a separate key to use for the authentication of this application.
Also - should the public key be distributed with the application, as an installable file? As I write this, I am figuring that it probably does need to be, as I need to allow for offline registrations.