Certificate confusion?

Archived from groups: microsoft.public.win2000.security (More info?)

Hello all!

I am trying to get my small brain around something that I have taken for
granted for a while. Certificates. I understand the general concepts with
the public/private key business, but there are some details that are causing
me problems. I know I am misunderstanding some things.

1. What's the point? If I am understanding correctly a Certificate
verifies the authenticity of the two entities involved in some sort of
transaction. Well that is great but what if one of the entities is a crook?

2. Can anyone be a CA? I know Verisign is a CA...is Microsoft? Can my mom
become a CA? I kind of trust her? If anyone can become a CA, then what is
the value of a Certificate?

3. We pay roughly $250 to Verisign for a SSL certificate. Could I have
gotten this Certificate from Microsoft instead? Would it cost me anything?
I far as I can tell some CA's charge for their certifcates and some
certifcates are free? Why? Is it based on the purpose of the certficate?

4. So in the MS documentation there is mention of an Enterprise
certification authority and a Stand-Alone certification authority. Are these
two terms Microsoft only terminology?

Thanks for your time on this.
1 answer Last reply
More about certificate confusion
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    You are right. Anyone can be a CA (Certificate Authorithy). The main
    question here is who do we trust? I am sure you trust your mother, but I
    don't :-). So would I use certificates issued by her CAs? Well that depends.

    Microsoft has it's own CA servers set up for their use, but they don't offer
    them commercially.

    Why Verisign? It is a known and trusted company, but the main thing is their
    Certificate Practice Statement. It is policy how they work and what is
    required before they issue a certificate. First they will want to see some
    proof that the company that is requesting certificate actually exist. Then
    you have to prove that domain for which you are requesting certificate is
    actually yours (or you have to get a permission to use this domain from the
    owner of the domain). This simply means I can't order certificate for domain
    www.microsoft.com (yes FQDN is quite important in certificates). In the end
    they will call a company employee and verify if they really did order a
    certificate). For calling they will use 3rd party source to get needed phone
    number (usually they will use DUNS as a source - Dun and Bradstreet).

    To make things "simple". I use 3rd party trusted source (e.g. Verisign,
    Thawthe, ...) for my business. Since you don't want to check up on me if I
    am trustworthy, you too use 3rd party trusted source. If we both consider
    same source as trusted we can do business :-).

    Yes there is room for exploits, but if you setup your own CA and use it on
    your web server, you will have hard time to convince me to trust you. Still
    session between my IE and your web server will still be secure (https).

    Terms Standalone CA and Enterprise CA are two Microsoft terms. When you buy
    Windows server you also buy a CA service that you can install as any other
    component (just like SMTP service or IIS service or ...). If this server is
    not integrated in CA then it is Standalone CA (you can have Standalone Root
    CA or Subordinate CA -- so you get hierarchy of CAs for additional
    security). If you setup your CA to integrate with domain then you get
    Enterprise CA. You can also have hierarch or Stand Alone Root CA and
    Subordinate Enterprise CA.

    Usual practice in Microsoft world is to have your own CA server (if you have
    such needs). You use this CA server for internal purposes (signing internal
    e-mails, securing access to internal server such as Outlook Web Access
    servers, VPN authentication ... etc). You can even use it for business with
    your business partners. Among other things, you can save quite some money
    since you don't have to pay for every certificate that you issue to your
    employees.

    Still when it comes to on-line shops, on-line ordering, etc... same company
    will use 3rd party CA servers like Verisign.

    Mike

    "GlenH" <glen_huey@teledyne.nospam.com> wrote in message
    news:98E0BEB6-3EBE-4C5A-95C6-0E83E12642E1@microsoft.com...
    > Hello all!
    >
    > I am trying to get my small brain around something that I have taken for
    > granted for a while. Certificates. I understand the general concepts
    with
    > the public/private key business, but there are some details that are
    causing
    > me problems. I know I am misunderstanding some things.
    >
    > 1. What's the point? If I am understanding correctly a Certificate
    > verifies the authenticity of the two entities involved in some sort of
    > transaction. Well that is great but what if one of the entities is a
    crook?
    >
    > 2. Can anyone be a CA? I know Verisign is a CA...is Microsoft? Can my
    mom
    > become a CA? I kind of trust her? If anyone can become a CA, then what
    is
    > the value of a Certificate?
    >
    > 3. We pay roughly $250 to Verisign for a SSL certificate. Could I have
    > gotten this Certificate from Microsoft instead? Would it cost me
    anything?
    > I far as I can tell some CA's charge for their certifcates and some
    > certifcates are free? Why? Is it based on the purpose of the certficate?
    >
    > 4. So in the MS documentation there is mention of an Enterprise
    > certification authority and a Stand-Alone certification authority. Are
    these
    > two terms Microsoft only terminology?
    >
    > Thanks for your time on this.
    >
    >
    >
Ask a new question

Read More

Microsoft Certificate Windows