RE: SSL Certificates

Michael J. Gibbs ( (no email) )
Thu, 19 Jun 1997 06:32:28 -0700

But only if it is a virtually domained site, no? If it is a subdirectory =
under the root of the server that has the cert, it is good...

However, in that case, you are basically vouching for the validity of =
the merchant. Is that another burden that we as providers really want to =
bear? Probably not, so I'd say let the user get their own cert and =
upsell them to a virtually domained website. It may be more work, but I =
would imagine it is definately worth the hassle when that first consumer =
lawsuit comes around....

From: Jeff Woods[]
Sent: Thursday, June 19, 1997 6:21 AM
Subject: Re: SSL Certificates

At 01:13 AM 6/18/97 -0600, you wrote:

>How do most of you guys deal with SSL? Management here has suggested
>purchasing one SSL certificate under our ISP company name & using it =
>any business clients who wish to have secure order forms.=20

BAD BAD BAD! If the remote user comes to someone on YOUR server who is
using, and you (and the certificate) are, then =
remote user will get a SECURITY NOTICE when they try to get a secure =
from -- the certificates will NOT match!

You simply MUST let your customers acquire their OWN certs. Use the =
Manager" in IIS 3.0 to generate a key pair for the customer, and the
customer can take that key pair to Verisign to be made into a =
at their own expense. Otherwise, the cert is useless on the customer's =

>I was under the
>opinion, however, that it would be preferable for each business client =
>purchase their own SSL certificate so that any Internet related =
>troubles are reflected on the client business company name & not our =

This is yet another good reason, but not the primary one.

NTISP Mailing List