Re: CA-SSL in IIS
From: Anthony Kim (Anthony.Kim_at_VWCREDIT.COM)
Date: 07/15/03
- Previous message: Larry Seltzer: "RE: CA-SSL in IIS"
- In reply to: Ed Sunder: "RE: CA-SSL in IIS"
- Next in thread: Chris Lynch: "RE: CA-SSL in IIS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 15 Jul 2003 11:26:01 -0500 To: focus-ms@securityfocus.com
On Tue, Jul 15, 2003, Ed Sunder wrote:
> What drawbacks are there in becoming your own certificate
> service? Versus one of the major SSL services? Other than that
> the source of the certificate (if the user looked it up) would
> not be a commercially known provider and you couldn't
> participate in any of the major provider's ever so valuable
> certificate programs.
>
You need to maintain a strict security support structure to
protect your certifice service servers, root CAs, intermediary
CAs and so forth. ISS wrote up some guidelines in their MS Press
Windows 2000 Security Technical Reference. In theory. People
producing their own X.509 certs for private use seldom take such
measures. But at the end of the day, how much you effort you
should make depends on your security requirements.
You need to distribute your root CA certficate to your users'
browsers - so they aren't faced with the "This cert is not signed
by a valid CA" warning. But this can be accomplished via Group
Policy IIRC.
Otherwise, private CA's are pretty common I reckon.
-----------------------------------------------------------------------------
------------------------------------------------------------------------------
- Previous message: Larry Seltzer: "RE: CA-SSL in IIS"
- In reply to: Ed Sunder: "RE: CA-SSL in IIS"
- Next in thread: Chris Lynch: "RE: CA-SSL in IIS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
