|
Posted by Mark Randall on June 28, 2007, 5:33 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Thanks for the reply Ray. I'll endevour to answer your questions.
> They have no need of our root certificate. All they get is the publically
> available web server certificate. That is, when looking at the HTTPS
> website
> identification they see a certificate like this:
> Client certificates would be issued using a manual process and not
> automatic. Basically, during the initial setup after the customer signs
> the
> contract, we send them the appropriate client certificates for each of
> their
> users. It would cause no more aggravation than if the client certificates
> were issued by a "real" CA.
If it were signed by a 'real' CA then you'd get an automatic certificate
signing chain starting from the root certificates hardcoded into the OS,
that in turn would sign your company certificates and that in turn would
sign your web certs.
> Type https://download.microsoft.com/ into IE and you'll get a certificate
> error. That is because the certificate used to secure the URL was issued
> to
> a248.e.akamai.net by GTE CyberTrust Global Root. No mention of Microsoft
> even
> though it's a Microsoft URL.
Many host names to one IP, the Akamai distribution nodes tend to use actual
DNS redirection if I remember right, but the cert is IP based.
> For it to work correctly, the certificate would have to be issued to the
> exact same URL, and as far as I'm aware there is no way for a URL to
> resolve
> to a different IP address than the one that is in DNS.
Thats easy. Theres nothing in DNS about it being guarenteed correct. Round
Robin DNS redirection works by aiming your dns request at a different IP.
There is nothing to stop a programmer from creating a piece of DNS server
software that replies to one person with one IP, and another person with a
completely different IP for identical requests.
> pointing at their real website very often.
>
> As with any spoofing or phishing, the weakest link in security is the
> user.
>
>> Personally, I would think you're cheaping out but a lot of other
>> companies
>> do it. I would definitely use a real code-signing certificate at a
>> minimum.
>> They are not that expensive.
>
> But I'm not just talking about code-signing. I'm also talking about SSL
> and
> client certificates. We're talking about tens of thousands of
> certificates.
Hence chaining, you buy your company certificate and then use it to sign
your own.
> So what, in your opinion, makes a certificate issed by GoDaddy, Verisign,
> Microsoft, C&W, Equifax or Dell, better than one issued by the company
> that
> is providing the service you are paying for?
>
| 
XML site map