Re: MS: David Cross

From: John McCoy (itsme109@hotmail.com)
Date: 11/29/02 

From: "John McCoy" <itsme109@hotmail.com>
Date: Thu, 28 Nov 2002 22:14:47 -0500

This is a pretty good idea also, you can do crl checking even with ISA2000
we are doing it now. 

--
John McCoy
"S. Pidgorny [MVP]" <slavickp@yahoo.com> wrote in message
news:OlNI9BslCHA.2840@tkmsftngp04...
> It looks like everyone suggests to contact MS with such question?
>
> I do have some suggestions:
>
> * Crtificate distribution: create all certificates inhouse, make private
> keys exportable, export the cert and send the PFX file to the customer. It
> is password-protected.
>
> An online CA is also acceptable but you need to have a mean of verifying
> customer identity before approving the request. The above approach is
easier
> but not good for mass deploument.
>
> * ISA Server and certificate authentication. Trouble, AFAIK. No, it works
> fine, but the problem is CRL checking. It just doesn't happen. And yes,
MSCS
> do have a solution for that problem already.
>
> --
> Svyatoslav Pidgorny, MS MVP, MCSE
> -= F1 is the key =-
>
> "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
> news:#4LwvlqlCHA.2224@tkmsftngp02...
> > Again, I would recommend contacting MSCS. Either they will be able to
> allay
> > your concerns or they can float your concerns back to Redmond and get a
> > satisfactory answer for you. You might possibly get lucky and get the
> answer
> > here but in matters of security you should be the as careful as you can
> be.
> >
> > --
> > Joe Richards
> > www.joeware.net
> > ---
> >
> > "John McCoy" <itsme109@hotmail.com> wrote in message
> > news:utvqinfrovp500@corp.supernews.com...
> > > It isn't my site I am thinking of. I just want to make sure when we
set
> up
> > a
> > > certificate server for outside users to contact it is a secure method.
> > There
> > > are some concerns about how I planned to do it.
> > >
> > > This is for our customers to be in compliance with HIPAA
> > >
> > > --
> > > John McCoy
> > >
> > >
> > > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
> > > news:OnCdlZykCHA.2008@tkmsftngp08...
> > > > I would recommend contacting your local Microsoft office and getting
a
> > > MSCS
> > > > Security specialist to visit.
> > > >
> > > > --
> > > > Joe Richards
> > > > www.joeware.net
> > > > ---
> > > >
> > > > "John McCoy" <itsme109@hotmail.com> wrote in message
> > > > news:utu0dj97tne95f@corp.supernews.com...
> > > > > Thank you, I just want to make sure the distribution method we
> choose
> > is
> > > > the
> > > > > most secure one.
> > > > >
> > > > > --
> > > > > John McCoy
> > > > >
> > > > >
> > > > > "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
> > > > > news:u2qstZekCHA.348@tkmsftngp12...
> > > > > > I am fairly sure you can get pricing and phone numbers from
> > > > > > www.microsoft.com/support.  Look under the section for ISA
server
> > [or
> > > > > maybe
> > > > > > windows 2000 server]
> > > > > >
> > > > > > "John McCoy" <jmccoy@cmatech.com> wrote in message
> > > > > > news:esVI9GakCHA.2276@tkmsftngp12...
> > > > > > > I would like to call and speak to someone in some greater
detail
> > > about
> > > > > the
> > > > > > > best way to distribute certificates to outside users.
> > > > > > >
> > > > > > > I  plan to use a CA Root for internal users and a standalone
sub
> > for
> > > > > > > external users. We want external users to be issued a
> certificate
> > to
> > > > be
> > > > > > able
> > > > > > > to disgitally sign and encrypt email and attachments. We are
> using
> > > ISA
> > > > > > 2000.
> > > > > > > The question is, is it a good security practice to explse the
> > > > standalone
> > > > > > sub
> > > > > > > to issue certificates? We would publish it using ISA 2000.
> > > > > > >
> > > > > > > I understand this would be a fee based call.
> > > > > > >
> > > > > > > Thanks
> > > > > > >
> > > > > > > John McCoy
> > > > > > > jmccoy@cmatech.com
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: revoking ipsec certificate doesnt work
    ... It's possible to publish manually the update delta and full CRL using the CA ... MMC SnapIn on the Server. ... my test VPN client never checks if the ... Server 2003 SP1 without any problem after the certificate is revoked nearly ...
    (microsoft.public.windows.server.security)
  • Re: Client Certificates Deleted after 2003 upgrade.
    ... Certificate Server and everything was fine. ... > CRL. ... if you run your own Cert ...
    (microsoft.public.inetserver.iis.security)
  • Re: failing to retrive CRL from certificate server using new LDAP
    ... automaticlly updates only if I put 192.168.1.1 under LDAP Server: ... This is how I specify on our VPN netscreen 50 under certificate optios> CRL ...
    (microsoft.public.windows.server.security)
  • Re: MS: David Cross
    ... heard from MSCS about problems. ... And - are you using internal CA with CRL distribution ... point behind ISA or commercial CA certs? ... >> * ISA Server and certificate authentication. ...
    (microsoft.public.win2000.security)
  • Re: IAS CRL Configuration
    ... I was referring to the server that is running CA in my last response. ... troubleshooting certificate issues, but I'm not sure if it would contain the ... You're correct that the IAS server does not use a new CRL until the old one ...
    (microsoft.public.internet.radius)