RE: CA-SSL in IIS

There is a concept involved here of a "chain of trust". When Verisign signs your SSL certificate, they are giving their promise that they trust that you are who you say you are. When Joe User comes to your site, he has to decide if he trusts Verisign to make that decision. The chain can actually be much longer through the use of intermediate certification authorities. A user can "install" a certificate as a trusted root, meaning they trust the holder of that certificate to sign other certificates. This is the benefit of paying a third-party CA -- their root certificate is already trusted by a default install of most browsers, including Internet Explorer.

In terms of the public web, if you sign certificates with your own CA, the certification chain will end with the certificate of your CA, which will not be trusted by most clients. So when they visit your web site, they will see an error message that the site is trying to establish an SSL connection but the identity of the server could not be positively established. This will probably scare people, even though the encryption will still work to the fullest extent. In a controlled environment, you could install the certificate of the CA as trusted on all the client machines and you would have no problems at all.

--

Patrick Correia, Web Designer
Clough, Harbour & Associates LLP
III Winners Circle
P.O. Box 5269
Albany, New York 12205-0269
http://www.cha-llp.com

-----Original Message-----

From: Ed Sunder [mailto:edsunder@threehd.com] Sent: Tuesday, July 15, 2003 10:50 AM
To: focus-ms@securityfocus.com
Subject: RE: CA-SSL in IIS

What drawbacks are there in becoming your own certificate service? Versus one of the major SSL services? Other than that the source of the certificate (if the user looked it up) would not be a commercially known provider and you couldn't participate in any of the major provider's ever so valuable certificate programs.

Ed Sunder
Three HD