|
Home > Archive > microsoft.public.cert.exams.mcse > March 2004 > Certificates
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Tim Kettring 2004-03-27, 1:23 pm |
| I am studying for win-2k-server , and dont understand what certificates (
from verasign etc... ) are good for . Why would a person need a root
certificate , when they supply a user name and password ?
Thanks , tim
| |
| Rowdy Yates 2004-03-27, 2:23 pm |
| "Tim Kettring" <tim6kettring@e-garfield.com> wrote in news:c44ek2$2ehq8m$1
@ID-212626.news.uni-berlin.de:
> I am studying for win-2k-server , and dont understand what certificates (
> from verasign etc... ) are good for . Why would a person need a root
> certificate , when they supply a user name and password ?
>
> Thanks , tim
>
trust.
i create a server and a root CA and name it "BestBuy.com".
i issue myself a certificate, "Rowdy Yates, Bestbuy.com".
am I now affiliated with BestBuy.com? why not?
--
Rowdy Yates
-------------------------------
Death to the Gypsy Kings!
-------------------------------
I am Against-TCPA
http://www.againsttcpa.com
| |
| Tim Kettring 2004-03-27, 2:23 pm |
| "Rowdy Yates" <rowdy_yates2@remove.lycos.com> wrote in message
news:Xns94B983DF1CBF2rowdyyate
s2lycoscom@207.46.248.16...
> "Tim Kettring" <tim6kettring@e-garfield.com> wrote in news:c44ek2$2ehq8m$1
> @ID-212626.news.uni-berlin.de:
>
([color=blue]
>
> trust.
>
> i create a server and a root CA and name it "BestBuy.com".
> i issue myself a certificate, "Rowdy Yates, Bestbuy.com".
>
> am I now affiliated with BestBuy.com? why not?
>
My best guess is no , because the certificate has not been issued by a
trusted Certificate Authority like Verisign .
> --
> Rowdy Yates
> -------------------------------
> Death to the Gypsy Kings!
> -------------------------------
> I am Against-TCPA
> http://www.againsttcpa.com
| |
| Rowdy Yates 2004-03-27, 2:23 pm |
| "Tim Kettring" <tim6kettring@e-garfield.com> wrote in
news:c44gca$2cmrn9$1@ID-212626.news.uni-berlin.de:
> "Rowdy Yates" <rowdy_yates2@remove.lycos.com> wrote in message
> news:Xns94B983DF1CBF2rowdyyate
s2lycoscom@207.46.248.16...
> (
>
> My best guess is no , because the certificate has not been issued by a
> trusted Certificate Authority like Verisign .
>
>
>
>
that's why you need verisign. ;-)
they also provide a central location/repository where everyone can go to
one place to verify that people are who they claim to be. the efficient
management of public and pricate keys/certificates is the big issue with
PKI. the issue is, it's a big pain in the XXX.
i invested in this book:
RSA Security's Official Guide to Cryptography
by Steve Burnett, Stephen Paine
best $$$ i ever spent. it helped me better understand PKI. i don't think
microsoft does as good a job in their ,mcse curiculum.
ry
--
Rowdy Yates
-------------------------------
Death to the Gypsy Kings!
-------------------------------
I am Against-TCPA
http://www.againsttcpa.com
| |
| Sartan Dragonbane 2004-03-27, 2:23 pm |
| Security+ training covers it quite well
"Rowdy Yates" <rowdy_yates2@remove.lycos.com> wrote in message
news:Xns94B9892BFBFD9rowdyyate
s2lycoscom@207.46.248.16...
> "Tim Kettring" <tim6kettring@e-garfield.com> wrote in
> news:c44gca$2cmrn9$1@ID-212626.news.uni-berlin.de:
>
>
> that's why you need verisign. ;-)
>
> they also provide a central location/repository where everyone can go to
> one place to verify that people are who they claim to be. the efficient
> management of public and pricate keys/certificates is the big issue with
> PKI. the issue is, it's a big pain in the XXX.
>
> i invested in this book:
> RSA Security's Official Guide to Cryptography
> by Steve Burnett, Stephen Paine
>
> best $$$ i ever spent. it helped me better understand PKI. i don't think
> microsoft does as good a job in their ,mcse curiculum.
>
> ry
>
>
> --
> Rowdy Yates
> -------------------------------
> Death to the Gypsy Kings!
> -------------------------------
> I am Against-TCPA
> http://www.againsttcpa.com
| |
| DalePres 2004-03-27, 3:23 pm |
| Certificates are about authentication, as in proving your identity. If you
have a certificate that is directly chained or tracable to a certificate
authority that I trust, then I believe your certificate is valid, and
therefore you are who you say you are.
It doesn't have to tye to Verisign in anyway; Verisign is no more
trustworthy than many other companies but they set themselves up as a root
authority. If you trust them, then Windows, by default, will trust
certificates tracable to them. If you don't trust them, then their
certificates are useless to you.
You can install the certificate server on W2K or W2K3 and set yourself up as
a certificate issuer. If you could convince anyone to add your certificate
to their trusted authority lists then your certificates would work for
validating your identiy to them. One key application would be signed
software packages within an organization. If you establish a CA on your
domain and issue certificates, you can sign your own software. The
signatures would only be accepted within your domain.
Another application would be to use SSL within your intranet. Issue your
own certificates and set your own domain as a trusted CA.
Here's a good MS link on the topic:
http://www.microsoft.com/windowsxp/..._cmcertscas.asp
Dale
"Tim Kettring" <tim6kettring@e-garfield.com> wrote in message
news:c44ek2$2ehq8m$1@ID-212626.news.uni-berlin.de...
> I am studying for win-2k-server , and dont understand what certificates (
> from verasign etc... ) are good for . Why would a person need a root
> certificate , when they supply a user name and password ?
>
> Thanks , tim
>
>
>
| |
| DalePres 2004-03-27, 3:23 pm |
| Oh, by the way... After Verisign's parent company, Network Solutions,
hijacked the entire DNS system for their own personal gain, I no longer
trust Verisign. Were I using certificates, I would do anything in my power
to NOT use anything based on Verisign. "In my power" is kind of limited
since they have a virtual monolopy on commercial public certificates. If I
am not mistaken, Thawte is no longer affiliated with Verisign and is, in my
humble opinion, a much more "trustworthy" CA.
Dale
"DalePres" <don-t-spa-m-me@lea-ve-me-a-lone--.com> wrote in message
news:ODdip5CFEHA.2868@TK2MSFTNGP12.phx.gbl...
> Certificates are about authentication, as in proving your identity. If
you
> have a certificate that is directly chained or tracable to a certificate
> authority that I trust, then I believe your certificate is valid, and
> therefore you are who you say you are.
>
> It doesn't have to tye to Verisign in anyway; Verisign is no more
> trustworthy than many other companies but they set themselves up as a root
> authority. If you trust them, then Windows, by default, will trust
> certificates tracable to them. If you don't trust them, then their
> certificates are useless to you.
>
> You can install the certificate server on W2K or W2K3 and set yourself up
as
> a certificate issuer. If you could convince anyone to add your
certificate
> to their trusted authority lists then your certificates would work for
> validating your identiy to them. One key application would be signed
> software packages within an organization. If you establish a CA on your
> domain and issue certificates, you can sign your own software. The
> signatures would only be accepted within your domain.
>
> Another application would be to use SSL within your intranet. Issue your
> own certificates and set your own domain as a trusted CA.
>
> Here's a good MS link on the topic:
>
>
http://www.microsoft.com/windowsxp/..._cmcertscas.asp
>
> Dale
>
>
> "Tim Kettring" <tim6kettring@e-garfield.com> wrote in message
> news:c44ek2$2ehq8m$1@ID-212626.news.uni-berlin.de...
([color=blue]
>
>
| |
| Rowdy Yates 2004-03-27, 6:23 pm |
| not in anywhere near as enough detail. sec+ only bearly skims the surface
of whats actually going on.
"Sartan Dragonbane" <NOSPAMHERE@YOUMOMMA.NULL.COM> wrote in
news Yj9c.26521$Ct5.15037@edtnps89:
> Security+ training covers it quite well
> "Rowdy Yates" <rowdy_yates2@remove.lycos.com> wrote in message
> news:Xns94B9892BFBFD9rowdyyate
s2lycoscom@207.46.248.16...
>
>
--
Rowdy Yates
-------------------------------
Death to the Gypsy Kings!
-------------------------------
I am Against-TCPA
http://www.againsttcpa.com
| |
| Tim Kettring 2004-03-28, 4:23 pm |
| Thank you for all the replies to this thread . It is making sense now . I
think I will get that book that Rowdy suggested , since I have more in depth
questions now :-)
| |
| Steven Umbach 2004-03-28, 8:23 pm |
| Certificates in Windows 2000/2003 are part of the Public Key Infrastructure used
as more secure or additional authentication for users AND computers. PKI uses a
public/private keypair. The certificate is the public key that is distributed to
anyone while the private key is very sensitive and must be secured and guarded.
The domain recovery agent for EFS is an example of a private key used to recover
domain users EFS files.
Certificates are used to issue a challenge to a computer [such as in ssl] or
user by encrypting a string and sending it to the computer along with a session
key. Only the holder of the matching private key can decrypt that string and
send it back to computer issuing the challenge by encrypting it with the session
key that was encrypted with the challenge assuring that ONLY the original
computer issuing the challenge will be able to decrypt the response and then if
the string was successfully decrypted by the challenged computer then
authentication occurs. This assures a very high level of security in
authentication as long as the private keys are secure.
Windows 2000/2003 server can be a Certificate Authority and issue certificates
for domain users/computers or even non domain users. A private CA is usually
only trusted within the domain or organization and would be useless for
something like a IIS web server certificate for the general public since their
computers/browsers would not trust the private certificates. However for a
domain or organization, private certificates/private keys can be very useful in
increasing security for things like ipsec, l2tp, EFS, email, smart cards, and
user authentication. For instance l2tp requires a machine certificate/private
key while pptp does not. The advantage is that if your organization uses l2tp,
only computers with machine certificates/private keys issued by your CA will be
able to access your network via vpn greatly increasing remote access security by
eliminating the risk of password guessing from non domain machines. Smart cards
are another example of using PKI in the domain. The smart card contains your
user private key stored in a chip. With smart card access required, no one will
be authenticated to the computer without the smart card being physically present
and the user needs to enter a numeric code which usually locks out the user
after a few bad attempts. These are the ways in which PKI can greatly increase
security over traditional logon name/password. --- Steve
"Tim Kettring" <tim6kettring@e-garfield.com> wrote in message
news:c44ek2$2ehq8m$1@ID-212626.news.uni-berlin.de...
> I am studying for win-2k-server , and dont understand what certificates (
> from verasign etc... ) are good for . Why would a person need a root
> certificate , when they supply a user name and password ?
>
> Thanks , tim
>
>
>
| |
| Tim Kettring 2004-03-28, 9:23 pm |
| Thank you very much Steve , I will read your post many times !!!
"Steven Umbach" <n9rou@n0spam-comcast.net> wrote in message
news cK9c.26436$w54.171756@attbi_s01...
> Certificates in Windows 2000/2003 are part of the Public Key
Infrastructure used
> as more secure or additional authentication for users AND computers. PKI
uses a
> public/private keypair. The certificate is the public key that is
distributed to
> anyone while the private key is very sensitive and must be secured and
guarded.
> The domain recovery agent for EFS is an example of a private key used to
recover
> domain users EFS files.
>
> Certificates are used to issue a challenge to a computer [such as in ssl]
or
> user by encrypting a string and sending it to the computer along with a
session
> key. Only the holder of the matching private key can decrypt that string
and
> send it back to computer issuing the challenge by encrypting it with the
session
> key that was encrypted with the challenge assuring that ONLY the original
> computer issuing the challenge will be able to decrypt the response and
then if
> the string was successfully decrypted by the challenged computer then
> authentication occurs. This assures a very high level of security in
> authentication as long as the private keys are secure.
>
> Windows 2000/2003 server can be a Certificate Authority and issue
certificates
> for domain users/computers or even non domain users. A private CA is
usually
> only trusted within the domain or organization and would be useless for
> something like a IIS web server certificate for the general public since
their
> computers/browsers would not trust the private certificates. However for a
> domain or organization, private certificates/private keys can be very
useful in
> increasing security for things like ipsec, l2tp, EFS, email, smart cards,
and
> user authentication. For instance l2tp requires a machine
certificate/private
> key while pptp does not. The advantage is that if your organization uses
l2tp,
> only computers with machine certificates/private keys issued by your CA
will be
> able to access your network via vpn greatly increasing remote access
security by
> eliminating the risk of password guessing from non domain machines. Smart
cards
> are another example of using PKI in the domain. The smart card contains
your
> user private key stored in a chip. With smart card access required, no one
will
> be authenticated to the computer without the smart card being physically
present
> and the user needs to enter a numeric code which usually locks out the
user
> after a few bad attempts. These are the ways in which PKI can greatly
increase
> security over traditional logon name/password. --- Steve
>
> "Tim Kettring" <tim6kettring@e-garfield.com> wrote in message
> news:c44ek2$2ehq8m$1@ID-212626.news.uni-berlin.de...
([color=blue]
>
>
|
|
|
|
|