Re: MS: David Cross

From: John McCoy (itsme109@hotmail.com)
Date: 11/29/02 

From: "John McCoy" <itsme109@hotmail.com>
Date: Fri, 29 Nov 2002 11:31:40 -0500

Hi, I have set up in my internal lab to use the CA to issue the certs and it
is checking the crl. We came across a better way and that is a sub
standalone for external certs. These are both behind an ISA 2000 box, the
trick is to publish the crl list and create a virtual directory on the cert
box. It is pretty cool really.

These are all internally issued, the whole idea is for healthcare office to
be able to use digitally signed email so we have been testing and trying to
get a handle on the entire process. MS has been great, David Cross in
particular in helping me understand the process. 

--
John McCoy
"S. Pidgorny [MVP]" <slavickp@yahoo.com> wrote in message
news:e1z#4n6lCHA.1412@tkmsftngp04...
> So it works? Cool. I haven't tried myself (one of 10000 things to do) but
I
> heard from MSCS about problems. Can you confirm that ISA checks CRL when
> doing Web publishing? And - are you using internal CA with CRL
distribution
> point behind ISA or commercial CA certs?
>
> --
> Svyatoslav Pidgorny, MS MVP, MCSE
> -= F1 is the key =-
>
> "John McCoy" <itsme109@hotmail.com> wrote in message
> news:uudmt8p9ibcgd0@corp.supernews.com...
> > This is a pretty good idea also, you can do crl checking even with
ISA2000
> > we are doing it now.
> >
> > --
> > John McCoy
> > "S. Pidgorny [MVP]" <slavickp@yahoo.com> wrote in message
> > news:OlNI9BslCHA.2840@tkmsftngp04...
> > > It looks like everyone suggests to contact MS with such question?
> > >
> > > I do have some suggestions:
> > >
> > > * Crtificate distribution: create all certificates inhouse, make
private
> > > keys exportable, export the cert and send the PFX file to the
customer.
> It
> > > is password-protected.
> > >
> > > An online CA is also acceptable but you need to have a mean of
verifying
> > > customer identity before approving the request. The above approach is
> > easier
> > > but not good for mass deploument.
> > >
> > > * ISA Server and certificate authentication. Trouble, AFAIK. No, it
> works
> > > fine, but the problem is CRL checking. It just doesn't happen. And
yes,
> > MSCS
> > > do have a solution for that problem already.
> > >
> > > --
> > > Svyatoslav Pidgorny, MS MVP, MCSE
> > > -= F1 is the key =-
> > >
> > > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
> > > news:#4LwvlqlCHA.2224@tkmsftngp02...
> > > > Again, I would recommend contacting MSCS. Either they will be able
to
> > > allay
> > > > your concerns or they can float your concerns back to Redmond and
get
> a
> > > > satisfactory answer for you. You might possibly get lucky and get
the
> > > answer
> > > > here but in matters of security you should be the as careful as you
> can
> > > be.
> > > >
> > > > --
> > > > Joe Richards
> > > > www.joeware.net
> > > > ---
> > > >
> > > > "John McCoy" <itsme109@hotmail.com> wrote in message
> > > > news:utvqinfrovp500@corp.supernews.com...
> > > > > It isn't my site I am thinking of. I just want to make sure when
we
> > set
> > > up
> > > > a
> > > > > certificate server for outside users to contact it is a secure
> method.
> > > > There
> > > > > are some concerns about how I planned to do it.
> > > > >
> > > > > This is for our customers to be in compliance with HIPAA
> > > > >
> > > > > --
> > > > > John McCoy
> > > > >
> > > > >
> > > > > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
> > > > > news:OnCdlZykCHA.2008@tkmsftngp08...
> > > > > > I would recommend contacting your local Microsoft office and
> getting
> > a
> > > > > MSCS
> > > > > > Security specialist to visit.
> > > > > >
> > > > > > --
> > > > > > Joe Richards
> > > > > > www.joeware.net
> > > > > > ---
> > > > > >
> > > > > > "John McCoy" <itsme109@hotmail.com> wrote in message
> > > > > > news:utu0dj97tne95f@corp.supernews.com...
> > > > > > > Thank you, I just want to make sure the distribution method we
> > > choose
> > > > is
> > > > > > the
> > > > > > > most secure one.
> > > > > > >
> > > > > > > --
> > > > > > > John McCoy
> > > > > > >
> > > > > > >
> > > > > > > "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in
> message
> > > > > > > news:u2qstZekCHA.348@tkmsftngp12...
> > > > > > > > I am fairly sure you can get pricing and phone numbers from
> > > > > > > > www.microsoft.com/support.  Look under the section for ISA
> > server
> > > > [or
> > > > > > > maybe
> > > > > > > > windows 2000 server]
> > > > > > > >
> > > > > > > > "John McCoy" <jmccoy@cmatech.com> wrote in message
> > > > > > > > news:esVI9GakCHA.2276@tkmsftngp12...
> > > > > > > > > I would like to call and speak to someone in some greater
> > detail
> > > > > about
> > > > > > > the
> > > > > > > > > best way to distribute certificates to outside users.
> > > > > > > > >
> > > > > > > > > I  plan to use a CA Root for internal users and a
standalone
> > sub
> > > > for
> > > > > > > > > external users. We want external users to be issued a
> > > certificate
> > > > to
> > > > > > be
> > > > > > > > able
> > > > > > > > > to disgitally sign and encrypt email and attachments. We
are
> > > using
> > > > > ISA
> > > > > > > > 2000.
> > > > > > > > > The question is, is it a good security practice to explse
> the
> > > > > > standalone
> > > > > > > > sub
> > > > > > > > > to issue certificates? We would publish it using ISA 2000.
> > > > > > > > >
> > > > > > > > > I understand this would be a fee based call.
> > > > > > > > >
> > > > > > > > > Thanks
> > > > > > > > >
> > > > > > > > > John McCoy
> > > > > > > > > jmccoy@cmatech.com
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: How to install a new Enterprise Root Certificate Authority to replace an old one?
    ... > Enterprise Root CA to this new server (since apparently Enterprise CAs can't ... The biggest issue will be the need to redeploy all certs. ... CRL will no longer be available. ... and getting the replacement certificates deployed. ...
    (microsoft.public.windows.server.security)
  • Re: PKIView reports incorrect URLs, different to the CA configuration
    ... of the locations specified in old certs, the old certs may fail to validate. ... > However, out of the three URLS (AIA, CRL, and delta CRL+) PKIView has> only detected that one of these has changed. ...
    (microsoft.public.platformsdk.security)
  • Re: Problem with IIS5 - "expired" CRLs not working?
    ... Revocation checking, per se, is NOT the problem. ... The problem is that when the CRL in the ICA is expired, ... > certs as an indicator that revocation does not need to be checked. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Problem with IIS5 - "expired" CRLs not working?
    ... Revocation checking, per se, is NOT the problem. ... The problem is that when the CRL in the ICA is expired, ... > certs as an indicator that revocation does not need to be checked. ...
    (microsoft.public.platformsdk.security)
  • Re: MS: David Cross
    ... heard from MSCS about problems. ... And - are you using internal CA with CRL distribution ... point behind ISA or commercial CA certs? ... >> * ISA Server and certificate authentication. ...
    (microsoft.public.win2000.security)