Richard Levitte - VMS Whacker wrote:
While holding a lecture on PKI today, I was presented with a rather interesting question that I couldn't answer:A company wants to set up a web server that is secured through SSL, and would like it to have maximum availability to the public out there while keeping maximum trust within the company. The way they tried to solve this was to have the server return two server certificates, one signed by VeriSign, which would be used by "the public out there" and one that's signed by the internal company CA.
However, that idea has a problem: the company in question doesn't trust VeriSign. Period.
If they don't trust VeriSign, why do they spend money on a certificate issued by them ? The concept of the certificates is based on the fact that you trust the third party that will issue the certificate.
The only real solution we found so far was to have the server available on ports 443 (for the public out there) and 444 (for access from inside the company), and have those two ports return the corresponding server certificate (443 would return the certificate signed by VeriSign, 444 would return the certificate signed by the internal company CA).
If they don't trust a external CA (VeriSign is not the only one out there, e.g. there is a very nice CA in Hamburg, Germany,...) and they don't want to publish with their own CA, that seems to be the only solution. Perhaps they should use a local redirector that redirects HTTPS connections from the inside to port 444...
Any other ideas? Solving this in a better way than having two ports would be quite welcome.
They should list their requirements for a CA. Maybe there is a public CA they can trust... Bye Goetz -- Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de Sonninstr. 24-28, 20097 Hamburg, Germany Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126
smime.p7s
Description: S/MIME Cryptographic Signature
