On Thu, 5 Aug 2004, Michael Gale wrote:
I understand that administration headache ... but with the IE vulnerabilities would have me worried. Other then that SSL filtering would be nice.
Part of this is to define the certificate policy of the proxy. This obviously includes limited (if any) access to https sites having invalid certificates.
For what it is worth, the fake CA does only need to issue certificates for sites having a valid certificate. For other sites your could issue self-signed certificates to alert the user that this site does not have a valid certificate.
What need to be different in the certificate presented to the user from the original site certificate is:
1. The encryption key.
2. The CA who issued the certificate on trusted certificates.
If the site certificate does not compute then it is best to issue a self-signed certificate.
In both cases expiry date should be no further than the original site certificate.
Regards Henrik
