Re: Intranet: *Internal* Certifying Authority?

• To: justin.clark@Integralis.co.uk
• Subject: Re: Intranet: *Internal* Certifying Authority?
• From: Jamey Maze <jnm@ornl.gov>
• Date: Tue, 9 Apr 1996 11:42:38 -0400
• Cc: www-security@ns2.rutgers.edu
• In-Reply-To: <01I3C6ZBYH36002KH4@INTEGD.INTEGRALIS.CO.UK>

At 1:37 PM 4/9/96, justin.clark@Integralis.co.uk wrote:
>     How can a large organisation, who are concerned for internal security,
>     implement an internal Certifying Authority for issuing (x.509?)
>     Certificates to their internal users? This is for a large and secure
>     Intranet Web project.
>
>     I believe that Netscape's Commerce Server will support the main
>     functionality such as encryption, authentication and digital signatures
>     but the connection and creation of a CA is the confusing part on this.

I was thinking of asking this same question after seeing that the lastest
Netscape beta, "Atlas PR1", now supports client-side certificates and
multiple certificate authorities. I believe for this to work, you need a
server that supports client-side authentication. Netscape's Enterprise
Server 2.0, which appears to replace Commerce Server, will do this. I'm
sure other vendors are working on comparable products as well.

I tried to look into what products would support this a couple years ago. I
only found 2 solutions, one being a $15,000 "CIS" box from RSA and another
being the freeware from TIS, TIS-PEM. I didn't really like either. About a
year ago, RSA announced a PC-based software-only CIS product, but I don't
know if they ever released it. I've also been hearing a lot about Entrust,
but don't know if it meets this need.

I too would like to be able to setup a local Certificate Authority (CA).
This CA would be for internal-use only and so, at least at first, I'd
prefer to not have to purchase any CA services from an outside vendor.
(Would be a nice option for the future when there will be enough external
activity to justify the cost.) I'd like for my local CA to interoperate
with Netscape Navigator's "Obtain New Certificate" option (Security
Preferences, Personal Certificates).

If anyone has some good advice in this area, I'd appreciate hearing...

Thanks!


--
Jamey Maze

Lockheed Martin Energy Systems		Tel: 423-574-6355
Oak Ridge National Laboratory		Fax: 423-574-8922
White Oak Road, P.O.Box 2008
Oak Ridge, TN 37831-6394

• Intranet: *Internal* Certifying Authority?
• From: justin.clark@Integralis.co.uk

• Previous: Intranet: *Internal* Certifying Authority?
• Next: Re[4]: Is password good enough?
• Index(es):
  • Index
  • Thread