Date: 05/11/06 (C Sharp)    Keywords: software, asp, security

While the project to which this question applies is written in C#, this particular question is more of an architectural issue and less of a semantic/syntactic C# problem, for which I apologize. I was hoping I could still get some help.

In vague and general terms, here is my architectural problem du jour:

I am constructing a client-server application with a subscription model, in which the "server" component is an ASP facility owned/leased by my company. There are various levels of access granted to a given customer -- for the sake of simplicity, let's say there are two levels, "demo" and "purchased." The "demo" level allows the customer to run the client software on one PC at a time (I have the logic in the client and server software for this to happen, so it's not part of the scope of this question); the "purchased" level allows the customer to run the client software on some large number of PCs simultaneously. The application's value proposition depends somewhat on its large-scale deployability; it needs to be very simple for a "purchased" user to install the client-side software on a large number of PCs with very little effort or time investment. Therefore, a silent install is required -- an installation requiring absolutely no interaction from the user, aside from being launched. Progress/confirmation may be displayed, but no additional interaction would be required after launching the installation. I believe I can build such an installation mechanism without much weeping and gnashing of teeth, so that's not my question here.

The client software's mission in life is to transmit data periodically to the server, which customers can access to view the data in a valuable, money-saving, revolutionary fashion (that's the idea, anyway). However, the server needs a way to associate all of these clients' data streams with the computers from which they are originating, each time a transmission is made. This part is done -- using a series of hashes, the server is able to distinguish unique computer from unique computer when they transmit their data streams.

However, it is the next level of association with which I am having trouble. Each unique computer needs to be associated with one customer.

One solution I was imagining was a very computationally expensive process by which the registration of each new customer causes a recompilation of the MSI archive and setup application, bundling a new customer ID into the archive for each new customer. Then, when that customer downloads the client software to install on his target PC(s), the silent install notices this customer ID and transmits it with each data stream. The hashes I gather give me uniqueness among different computers within the same customer, while the customer ID gives me uniqueness among customers and ownership to each unique computer. However, this strategy would require the MSI compilation software installed on the ASP, which is a unique configuration that I'm not sure I could persuade many leased-ASP providers to support. "Someday," if the application is successful, I would have no problem colocating or owning the ASP myself, but in the beginning this would not be an option.

Another solution I can imagine is that each new computer the server notices that is not associated with a customer gets put in a pool of new computers, and the customers may select those computers which he wants to add to his account. Unfortunately, the type of this software would make such a model a vast security risk, so it is not an option.

Finally, I thought of a solution in which the customer is asked to provide details about the PC(s) he will be adding to his account, e.g. the public IP address from which they will be transmitting. However, this approach seems even more intrusive than asking the customer to type in a customerID every time he installs the client software on a local PC, so it's not feasible either.

Any of your help would be very much appreciated. Thanks for any thoughts or ideas, even if they're not completely fleshed out; they might give me the impetus I need to come up with a complete solution.

Source: http://community.livejournal.com/csharp/61406.html