Re: Flaws IIS6 with AD (2003) Cert Mapping
From: Craig Humphrey (craig.humphrey_at_nospam.chapmantripp.com)
Date: 10/17/03
- Next message: Craig Humphrey: "IIS Certificate Mapping password retreival"
- Previous message: Tom P. Willett: "Re: Supervisor"
- In reply to: Craig Humphrey: "Re: Flaws IIS6 with AD (2003) Cert Mapping"
- Next in thread: Craig Humphrey: "Re: Flaws IIS6 with AD (2003) Cert Mapping"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 17 Oct 2003 13:47:38 +1300
[rant]
We've had a bit of a discussion with the local Microsoft Technical support
and their stance is that IIS (4, 5 & 6) use a "legacy" method of mapping
certificates and that AD uses the "model that MS have adopted for the
future".
So you have two choices, a secure legacy method, or an insecure "modern"
method... you choose...
The techy did point out that you're supposed to trust your CA, which is
fine, if it's VeriSign, since they go to great lengths to authenticate and
validate certificate requests. But we issue our own (1000's per year) using
MS's own CA, which we then have to wrap up in some super duper secure
procedure/system, to ensure that the certificates it issues are unique and
trusted. That's not our core business (we're a law firm) and what good is
MS's CA if you have to spend a whole lot of time and money locking it (and
the procedures around it) down tight?
OK, so maybe MS's CA is only good for issuing certs in certain closed
conditions, since even internal networks can't really be trusted.
So perhaps I should be asking if anyone knows of a CA service (with web and
management interfaces) that can easily be set up in a secure manor?
[/rant]
Soon'ish
Craig
"Craig Humphrey" <Craig.Humphrey@nospam.chapmantripp.com> wrote in message
news:10d801c3888f$c2be5420$a401280a@phx.gbl...
> Hi Eric,
>
> what you're saying about authentication is true.
> Currently we use quite a different method for issuing
> certs, and the method we're working on for the new
> environment is also different again (a lot stronger).
>
> However, out of the box, MS's implimentation is flawed.
> AD only uses the Subject and Issuer lines of the cert's
> public key, to do the mapping, which can't be gaurenteed
> to be unique. And you can't make the mapping process
> stronger. All you can do is restrict users ability to
> request certs.
>
> If MS were to use the same cert mapping function in AD,
> that they use in IIS, no-one looses, everyone wins, with a
> more secure implimentation.
>
> Later'ish
> Craig
- Next message: Craig Humphrey: "IIS Certificate Mapping password retreival"
- Previous message: Tom P. Willett: "Re: Supervisor"
- In reply to: Craig Humphrey: "Re: Flaws IIS6 with AD (2003) Cert Mapping"
- Next in thread: Craig Humphrey: "Re: Flaws IIS6 with AD (2003) Cert Mapping"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
