CA certificates on W2k

From: jtnim@hotmail.com
Date: 06/13/02

• Previous message: Deus, Attonbitus: "Changing Terminal Server port in TSAC ActiveX Web Control"
• Next in thread: GAkiva@energyintel.com: "RE: CA certificates on W2k"
• Reply: GAkiva@energyintel.com: "RE: CA certificates on W2k"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 13 Jun 2002 07:02:59 -0000
From: <jtnim@hotmail.com>
To: focus-ms@securityfocus.com

('binary' encoding is not supported, stored as-is)

First of all I'll have to confess I'm not terribly knowledgeable when it
comes to things like SSL and PKI. I was asked to find out whether our web
site should use SSL and what would it require from us. I did some self-
study on SSL and PKI and find myself facing more open questions than I did
before.

For now, I'd like to focus on just one question. I found some +100 CA
certificates on my W2k workstation. These are all marked trusted, but I
don't remember ever accepting or acknowledging any of them. Where did they
come from and how do I know they're not bogus? I asked the same question
on MS newsgroups and someone said they "are supplied with the OS". So
Microsoft decides for me who I am to trust??? Another interesting thing I
discovered was that my browser (or OS) never contacted any other servers
when I logged to an SSL-protected web site. How do I know the server
certificate has not been revoked? It turns out that this feature is turned
off on IE 6 _by default_!

I realize these are complex issues, but to me there seems to be something
fundametally wrong with this picture, so if there are security experts out
there who could shed some light on this, I'd sure appreciate your input.
Also, if you know good resources (whitepapers etc.) on this subjects, URLs
would be welcome.

Thanks,

-- Rubio

---

• Previous message: Deus, Attonbitus: "Changing Terminal Server port in TSAC ActiveX Web Control"
• Next in thread: GAkiva@energyintel.com: "RE: CA certificates on W2k"
• Reply: GAkiva@energyintel.com: "RE: CA certificates on W2k"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Proposal for a new PKI model (At least I hope its new) ... > Then the world would have no problem trusting your domain level PKI ... coined the term "certificate manufacturing" to distinquish from actual ... it turns out that one of the reasons for the SSL server domain name ... (sci.crypt) Re: Load balanced web farm using SSL ... your SSL site, they too, will go to server 1. ... proxy servers that don't all use /24 netmasks. ... the request because the load balancer will not be able to read the request ... sure others too) is that you can use self-signed SSL certificates on the IIS ... (microsoft.public.inetserver.misc) Re: Load balanced web farm using SSL ... your SSL site, they too, will go to server 1. ... proxy servers that don't all use /24 netmasks. ... the request because the load balancer will not be able to read the request ... sure others too) is that you can use self-signed SSL certificates on the IIS ... (microsoft.public.inetserver.iis) Re: Load balanced web farm using SSL ... your SSL site, they too, will go to server 1. ... proxy servers that don't all use /24 netmasks. ... the request because the load balancer will not be able to read the request ... sure others too) is that you can use self-signed SSL certificates on the IIS ... (microsoft.public.inetserver.iis.security) ASPNET To Web Service using SSL w/Client Certs ... This way you want get bored reading! ... what is the best/recommended way for ASPNET apps to call web services that REQUIRE Client Certificates via SSL? ... all servers must REQUIRE SSL and Server/client certificates. ... (microsoft.public.dotnet.framework.aspnet)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ms  > 2002-06