>>>>> "Adam" == Adam Shostack <adam_at_homeport.org> writes:
Adam> Regarding Carson's points about making your firewall a CA, I
Adam> think that for any company which has more than a few servers
Adam> internally, making the FW a Certification Authority is a mistake. A
...
Adam> I suspect that Carson knew this, and misspoke, hitting one of
Adam> my pet peeves. :)
Nope. I said make it _a_ CA, not _the_ CA. A big difference. The only certs
it would be signing are the bogus ones required to spoof SSL. Your browser
has to trust it as a CA, so you should make sure it's hard to get at its
signing key, but nobody _outside_ your organization should trust it, and you
don't have to trust it for signing keys (if your client software is smart
enough).
"I see...you want to go to https:/www.blackhat.com/nukeme.exe...<fumble
fumble fumble> _I'm_ www.blackhat.com. _Really_ I am. You trust me, don't
you? <bat, bat, bat> Now let's see if that file passes my toxic waste
filters..."
--
Carson Gaspar -- carson_at_cs.columbia.edu carson_at_tla.org carson_at_cugc.org
http://www.cs.columbia.edu/~carson/home.html
Queen Trapped in a Butch Body
Received on Feb 09 1998
Intro
