Certificate confusion?

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Hello all!

I am trying to get my small brain around something that I have taken for
granted for a while. Certificates. I understand the general concepts with
the public/private key business, but there are some details that are causing
me problems. I know I am misunderstanding some things.

1. What's the point? If I am understanding correctly a Certificate
verifies the authenticity of the two entities involved in some sort of
transaction. Well that is great but what if one of the entities is a crook?

2. Can anyone be a CA? I know Verisign is a CA...is Microsoft? Can my mom
become a CA? I kind of trust her? If anyone can become a CA, then what is
the value of a Certificate?

3. We pay roughly $250 to Verisign for a SSL certificate. Could I have
gotten this Certificate from Microsoft instead? Would it cost me anything?
I far as I can tell some CA's charge for their certifcates and some
certifcates are free? Why? Is it based on the purpose of the certficate?

4. So in the MS documentation there is mention of an Enterprise
certification authority and a Stand-Alone certification authority. Are these
two terms Microsoft only terminology?

Thanks for your time on this.

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

You are right. Anyone can be a CA (Certificate Authorithy). The main
question here is who do we trust? I am sure you trust your mother, but I
don't . So would I use certificates issued by her CAs? Well that depends.

Microsoft has it's own CA servers set up for their use, but they don't offer
them commercially.

Why Verisign? It is a known and trusted company, but the main thing is their
Certificate Practice Statement. It is policy how they work and what is
required before they issue a certificate. First they will want to see some
proof that the company that is requesting certificate actually exist. Then
you have to prove that domain for which you are requesting certificate is
actually yours (or you have to get a permission to use this domain from the
owner of the domain). This simply means I can't order certificate for domain
www.microsoft.com (yes FQDN is quite important in certificates). In the end
they will call a company employee and verify if they really did order a
certificate). For calling they will use 3rd party source to get needed phone
number (usually they will use DUNS as a source - Dun and Bradstreet).

To make things "simple". I use 3rd party trusted source (e.g. Verisign,
Thawthe, ...) for my business. Since you don't want to check up on me if I
am trustworthy, you too use 3rd party trusted source. If we both consider
same source as trusted we can do business .

Yes there is room for exploits, but if you setup your own CA and use it on
your web server, you will have hard time to convince me to trust you. Still
session between my IE and your web server will still be secure (https).

Terms Standalone CA and Enterprise CA are two Microsoft terms. When you buy
Windows server you also buy a CA service that you can install as any other
component (just like SMTP service or IIS service or ...). If this server is
not integrated in CA then it is Standalone CA (you can have Standalone Root
CA or Subordinate CA -- so you get hierarchy of CAs for additional
security). If you setup your CA to integrate with domain then you get
Enterprise CA. You can also have hierarch or Stand Alone Root CA and
Subordinate Enterprise CA.

Usual practice in Microsoft world is to have your own CA server (if you have
such needs). You use this CA server for internal purposes (signing internal
e-mails, securing access to internal server such as Outlook Web Access
servers, VPN authentication ... etc). You can even use it for business with
your business partners. Among other things, you can save quite some money
since you don't have to pay for every certificate that you issue to your
employees.

Still when it comes to on-line shops, on-line ordering, etc... same company
will use 3rd party CA servers like Verisign.

Mike

"GlenH" <glen_huey@teledyne.nospam.com> wrote in message
news:98E0BEB6-3EBE-4C5A-95C6-0E83E12642E1@microsoft.com...
> Hello all!
>
> I am trying to get my small brain around something that I have taken for
> granted for a while. Certificates. I understand the general concepts
with
> the public/private key business, but there are some details that are
causing
> me problems. I know I am misunderstanding some things.
>
> 1. What's the point? If I am understanding correctly a Certificate
> verifies the authenticity of the two entities involved in some sort of
> transaction. Well that is great but what if one of the entities is a
crook?
>
> 2. Can anyone be a CA? I know Verisign is a CA...is Microsoft? Can my
mom
> become a CA? I kind of trust her? If anyone can become a CA, then what
is
> the value of a Certificate?
>
> 3. We pay roughly $250 to Verisign for a SSL certificate. Could I have
> gotten this Certificate from Microsoft instead? Would it cost me
anything?
> I far as I can tell some CA's charge for their certifcates and some
> certifcates are free? Why? Is it based on the purpose of the certficate?
>
> 4. So in the MS documentation there is mention of an Enterprise
> certification authority and a Stand-Alone certification authority. Are
these
> two terms Microsoft only terminology?
>
> Thanks for your time on this.
>
>
>