However, in that case, you are basically vouching for the validity of =
the merchant. Is that another burden that we as providers really want to =
bear? Probably not, so I'd say let the user get their own cert and =
upsell them to a virtually domained website. It may be more work, but I =
would imagine it is definately worth the hassle when that first consumer =
lawsuit comes around....
----------
From: Jeff Woods[SMTP:jeff@delta.com]
Sent: Thursday, June 19, 1997 6:21 AM
To: ntisp@emerald.iea.com
Subject: Re: SSL Certificates
At 01:13 AM 6/18/97 -0600, you wrote:
>How do most of you guys deal with SSL? Management here has suggested
>purchasing one SSL certificate under our ISP company name & using it =
for
>any business clients who wish to have secure order forms.=20
BAD BAD BAD! If the remote user comes to someone on YOUR server who is
using www.acme.com, and you (and the certificate) are www.isp.com, then =
the
remote user will get a SECURITY NOTICE when they try to get a secure =
page
from https://www.acme.com -- the certificates will NOT match!
You simply MUST let your customers acquire their OWN certs. Use the =
"Key
Manager" in IIS 3.0 to generate a key pair for the customer, and the
customer can take that key pair to Verisign to be made into a =
certificate
at their own expense. Otherwise, the cert is useless on the customer's =
site.
>I was under the
>opinion, however, that it would be preferable for each business client =
to
>purchase their own SSL certificate so that any Internet related =
CreditCard
>troubles are reflected on the client business company name & not our =
own.=20
This is yet another good reason, but not the primary one.
----------------------------------------------------------
NTISP Mailing List listserver@emerald.iea.com