Trusting Certificates from Other Organizations

 < Day Day Up > 



There are situations in which you will need to trust users in other organizations. You could issue certificates from your own CA servers to users in the other organization. If you need maximum control over who gets a certificate or you don’t trust the security policies of the other companies, you would issue and revoke certificates from your own CAs. The other organization could be integrated into your CA hierarchy. The drawback to this is that you will need to manage the certificates for the other organization. This would mean that you will need to decide on a method to securely distribute certificates to the other organization. You will also need to revoke certificates for people that leave the other organization or certificates that are lost on a smart card or computer. You will need to have processes in place to manage changes in the organization that will impact the CA hierarchy.

Real World Scenario: Establishing a Cross-Certificate Trust

start example

Jenny is in charge of security at VanderDoes and Fenton, a large law firm in Philadelphia. The law firm takes security very seriously and has a PKI for two-factor authentication and wireless authentication of clients. The law firm is aggressively growing, which means it is merging with other law firms to increase its size and caseload.

VanderDoes and Fenton recently acquired a medium-sized law firm. This law firm has its own PKI in place to support its applications and two-factor authentication.

In addition to the acquisition, VanderDoes and Fenton has just purchased a new application that allows its clients to view the progress of a case from a website. The lawyers from both firms are pushing for access to each other’s systems and the clients want access to the website, but they want assurances that their transactions will be secure.

Because VanderDoes and Fenton has an existing PKI, Jenny decides that, rather than reissue all the lawyers’ and personnel certificates from their CAs, it would be faster to set up a cross-certification so that each PKI trusts the root from the other organization. This means that users will be able to gain access to the information in each domain with the minimal amount of work for Jenny and her staff. She also decides to lease a certificate from a commercial CA to provide SSL to the web application. She decides to require 128-bit encryption to maintain security over the Internet to the application. She authenticates the clients through the web server with basic authentication over SSL.

end example

Many organizations will not be ready to take on that much coordination and overhead, which will constitute greater cost. There is an alternative to having to manage the certificates for the other organization: have the other organization manage their own certificates and trust the certificates that they issue. You can establish a cross-certification to trust the certificates that are issued in the other organization. A cross-certification will allow two organizations to trust each other and rely on each other’s certificates and keys as if they were issued from their own certificate authorities. The two CAs would exchange cross-certificates to enable users in each organization to interact securely with each other.

A certificate will need to be issued and distributed to users, computers, or services on the network. At some point, the certificate will expire depending on the policy under which it was issued, at which time the certificate will need to be renewed. Certificates that have had the corresponding private key compromised or that have expired will need to be revoked.



 < Day Day Up > 



MCSE. Windows Server 2003 Network Security Design Study Guide Exam 70-298
MCSE: Windows(r) Server 2003 Network Security Design Study Guide (70-298)
ISBN: 0782143296
EAN: 2147483647
Year: 2004
Pages: 168

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net