On Mon, 4 Feb 2002 17:20:06 -0500, bjw wrote:
>I am trying to provide private company sensitive information to our
>"off-site" technicians and sales people. The information is to be presented
>via http (preferably https) to simplify the access and to keep it private.
>It's nothing secrete but not anyone else's business, either.
That's a perfect application for a private CA. Personally, I'd still use a
VeriSign (or other public CA) certificate if it was only one server, simply
because it's easier than going to the trouble of getting everyone to install
your root certificate. However, if you envision your own public key
infrastructure, then you might as well get started now.
>I was wishing to provide my own CA, because I trust myself and so will our
>off-site staff. I/we are not dealing with the general public, so, I do not
>(feel) I require the extra level of trust that would provided by a public CA
>(verisign, Equifax, etc,) I chose ssl because it seem to be an inexpensive,
>quick, simple and secure method in place of RAS, VPN or ssh. At least for my
>needs.
>Perhaps, I am using ssl incorrectly by trying to use a my own (private) CA?
>Am I setting my self up for disaster?? Is there better solution?!?
No, that's fine. You just need some secure way to get your root certificate
out to everyone who needs to use it. If you can distribute it some secure
way, then you're set (for example, you can put it on a secure file server or
you can include it in the installation package for some company software).
Otherwise, I'd again suggest one VeriSign key so that people can be sure
they're talking to you when they get your root certificate.
I still recommend that in most cases you have at least one thing signed by a
public CA to 'root' the system. For example, how do I know the root key that
you claim is yours is really yours? If you can sneaker net it to each
machine, or you're more interested in protecting against passive interception
over the wire, you don't need to be paranoid about this.
So what it comes down to is, do you have a secure way to distribute your
root certificate and get it properly installed in the browsers of everyone
who's going to use your system? Are you more concerned with interception
prevention than source authentication or do you have a distribution means you
have confidence over?
If you set up your own root certificate and do go to the trouble of
distributing it, I'd suggest you create it so it can be used for code signing
and email as well. That way if you ever decide to use it to authenticate
email origins or code updates, you won't have to go to the trouble of
modifying everyone's browsers again.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
