RE: CA certificates on W2k
From: GAkiva@energyintel.comDate: 06/13/02
- Previous message: Deus, Attonbitus: "Re: O-u-t O-f O-f-f-i-c-e Replies"
- Maybe in reply to: jtnim@hotmail.com: "CA certificates on W2k"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: GAkiva@energyintel.com To: focus-ms@securityfocus.com Date: Thu, 13 Jun 2002 12:31:07 -0400
http://www.iisanswers.com/Top10FAQ/t10-How_to_Instal_%20SSL_part1-key_reques
t.htm
I read this article about how to install SSL for IIS 4 a while ago and
considered the editorial that goes along with this HOWTO article to be quiet
poignant.
It'll give you the info you need on how to create a self generated SSL
Certificate (the article will teach you what that really means if you don't
know), including what that'll mean to any clients using this self generated
Cert.
If you're running IIS 5 and not 4 I'd still suggest reading this. The
required steps are different from 4 to 5 but the principles don't change.
It also explains the meaning of those pre-installed certs that you
mentioned.
Guy Akiva
> -----Original Message-----
> From: jtnim@hotmail.com [mailto:jtnim@hotmail.com]
> Sent: Thursday, June 13, 2002 3.03 AM
> To: focus-ms@securityfocus.com
> Subject: CA certificates on W2k
>
>
>
>
> First of all I'll have to confess I'm not terribly
> knowledgeable when it
> comes to things like SSL and PKI. I was asked to find out
> whether our web
> site should use SSL and what would it require from us. I did
> some self- study on SSL and PKI and find myself facing more
> open questions than I did
> before.
>
> For now, I'd like to focus on just one question. I found some +100 CA
> certificates on my W2k workstation. These are all marked
> trusted, but I
> don't remember ever accepting or acknowledging any of them.
> Where did they
> come from and how do I know they're not bogus? I asked the
> same question
> on MS newsgroups and someone said they "are supplied with the OS". So
> Microsoft decides for me who I am to trust??? Another
> interesting thing I
> discovered was that my browser (or OS) never contacted any
> other servers
> when I logged to an SSL-protected web site. How do I know the server
> certificate has not been revoked? It turns out that this
> feature is turned
> off on IE 6 _by default_!
>
> I realize these are complex issues, but to me there seems to
> be something
> fundametally wrong with this picture, so if there are
> security experts out
> there who could shed some light on this, I'd sure appreciate
> your input.
> Also, if you know good resources (whitepapers etc.) on this
> subjects, URLs
> would be welcome.
>
> Thanks,
>
> -- Rubio
>
- Previous message: Deus, Attonbitus: "Re: O-u-t O-f O-f-f-i-c-e Replies"
- Maybe in reply to: jtnim@hotmail.com: "CA certificates on W2k"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
