RE: CA-SSL in IIS
From: CORREIA, PATRICK (pcorreia_at_cha-llp.com)
Date: 07/15/03
- Previous message: Anthony Kim: "Re: CA-SSL in IIS"
- Maybe in reply to: Benjamin Meade: "CA-SSL in IIS"
- Next in thread: Benjamin Meade: "RE: CA-SSL in IIS"
- Reply: Benjamin Meade: "RE: CA-SSL in IIS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: 'Ed Sunder' <edsunder@threehd.com>, focus-ms@securityfocus.com Date: Tue, 15 Jul 2003 12:09:53 -0400
There is a concept involved here of a "chain of trust". When Verisign signs
your SSL certificate, they are giving their promise that they trust that you
are who you say you are. When Joe User comes to your site, he has to decide
if he trusts Verisign to make that decision. The chain can actually be much
longer through the use of intermediate certification authorities. A user
can "install" a certificate as a trusted root, meaning they trust the holder
of that certificate to sign other certificates. This is the benefit of
paying a third-party CA -- their root certificate is already trusted by a
default install of most browsers, including Internet Explorer.
In terms of the public web, if you sign certificates with your own CA, the
certification chain will end with the certificate of your CA, which will not
be trusted by most clients. So when they visit your web site, they will see
an error message that the site is trying to establish an SSL connection but
the identity of the server could not be positively established. This will
probably scare people, even though the encryption will still work to the
fullest extent. In a controlled environment, you could install the
certificate of the CA as trusted on all the client machines and you would
have no problems at all.
-- Patrick Correia, Web Designer Clough, Harbour & Associates LLP III Winners Circle P.O. Box 5269 Albany, New York 12205-0269 http://www.cha-llp.com -----Original Message----- From: Ed Sunder [mailto:edsunder@threehd.com] Sent: Tuesday, July 15, 2003 10:50 AM To: focus-ms@securityfocus.com Subject: RE: CA-SSL in IIS What drawbacks are there in becoming your own certificate service? Versus one of the major SSL services? Other than that the source of the certificate (if the user looked it up) would not be a commercially known provider and you couldn't participate in any of the major provider's ever so valuable certificate programs. Ed Sunder Three HD ----------------------------------------------------------------------------- ------------------------------------------------------------------------------
- Previous message: Anthony Kim: "Re: CA-SSL in IIS"
- Maybe in reply to: Benjamin Meade: "CA-SSL in IIS"
- Next in thread: Benjamin Meade: "RE: CA-SSL in IIS"
- Reply: Benjamin Meade: "RE: CA-SSL in IIS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
