Designing Today's Internet

Home
services
Process
What can a web site do for me?
Portfolio
Templates
Contact
Inside

 

services : server hosting : secure server faq

Secure Server FAQ




General Questions:

What is it?
A secure server encrypts the data sent between the client (browser) and the server (your MAIC Website Account) which prevents electronic eavesdropping from compromising your information. If you are sending or receiving credit card information, financial data, or other sensitive material, a secure server will be an important part of your site's security policy.

Do I need a secure server?
Most individuals visiting your web site feel more comfortable transmitting sensitive information through a secure connection. This is especially true if you are accepting credit card information.

What are my choices?
MAIC offers both a shared certificate, in which case the URL of your secure documents would be:

https://secure.pa.net/your.secure.file.html

Or your own encryption certificate, in which case the URL of your secure documents would be:

https://www.yoursite.com/your.secure.file.html.

If you choose to install your own secure server, the certificate we recommend is by Thawte and supports the SSL encryption needed to secure information exchanged between your server and your clients.

How much does it cost?
A secure server requires you to purchase an encryption key which currently costs $125 with an install cost of $20. Thawte charges $100/year to renew the certificate.

If you choose the shared certificate solution, the cost is the cost of normal web storage plus security verification of any scripts you would wish to put on the server. We charge $60/hour for code verification (which is approximately 500 lines of Perl code per hour). The code verification is to ensure that everyone on the secure server is acting in a manner to preserve the overall security of the site.

How long does it take?
MAIC submits your application the first business day we receive your order. If all the information provided is up to date and correct, your Digital ID may be issued in approximately one week.

What is a Digital ID?
Digital IDs provide a trusted means of authenticating the identity of each party in an electronic transaction. Thawte's Digital IDs are used much the same way as conventional forms of identification, such as a driver's license or passport, to provide irrefutable evidence of the owner's identity and, in some cases, authority in a given transaction.

Digital IDs, also known as Digital certificates, bind an identity to a pair of electronic keys that can be used for encrypting and signing digital information. A Digital ID makes it possible to verify someone's claim that they have the right to use a given key, helping to prevent people from using phony keys to impersonate other users. Used in conjunction with encryption, Digital IDs provide a more complete security solution, assuring the identity of all parties involved in a transaction.

Who issues Digital IDs and how?
Digital IDs are issued by a Certificate Authority (CA), which can be any trusted central administration willing to vouch for the identities of those to whom it issues Digital IDs. A company may issue Digital IDs to its employees, a university to its students, a town to its citizens. In order to prevent forged Digital IDs, the CA's public key must be trustworthy: a CA must either publicize its public key or provide a Digital ID from a higher level CA attesting to the validity of its public key. The latter solution gives rise to hierarchies of CAs. Current CAs include the following:
Thawte
Verisign

Digital ID issuance proceeds as follows. Bob generates his own key pair and sends the public key to an appropriate CA with some proof of his identification. The CA checks the identification and takes any other steps necessary to assure itself that the request really did come from Bob, and then sends him a Digital ID attesting to the binding between Bob and his public key, along with a hierarchy of Digital IDs verifying the CA's public key. Bob can present this Digital ID chain whenever desired in order to demonstrate the legitimacy of his public key.

Since the CA must check for proper identification, organizations will find it convenient to act as a CA for its own members and employees. There will also be CAs that issue Digital IDs to unaffiliated individuals.

Different CAs may issue Digital IDs with varying levels of identification requirements. One CA may insist on seeing a driver's license, another may want the Digital ID request form to be notarized, yet another may want fingerprints of anyone requesting a Digital ID. Each CA should publish its own identification requirements and standards, so that verifiers can attach the appropriate level of confidence in the certified name-key bindings.


Operational Questions:

Who registers the certificate?
MAIC assumes the responsiblity to submit your application to the Certifying Authority and install your encryption key when it is issued. You will be responsible for providing to the Certifying Authority any information they may need to authenticate your business or organization. Thawte (the Certifying Authority) will contact your business to tell you what information they need.

Where will my Secure Server be located?
Your secure server will use the same document structure as your current MAIC account, but will be running in secure mode with your encryption key installed. You can then host your server in any of our colocation facilities. MAIC's colocation facilities are in the United States, allowing International customers to have a high-level secure server without government limitation of export controls.

Why do I need a certificate and why can't I just generate one for myself?
A certificate consists of your public key, an expiration date, documentation binding it to your organization, and the digital signature of its issuer, which should be a recognized Certificate Authority (CA). If you were to generate your own, there would be no way to distinguish it from a counterfeit certificate intended to imitate one of yours.


If I use your key technology will the National Security Agency (NSA) have access to my keys?
NO. Your private key is never transmitted to anyone. In particular, your certificate request will contain your public key only. So long as you protect your private key, and provide no one with access to it, your key will remain securely in your hands only. MAIC provides this security for your private key on your server.


Our site is outside of the U.S. How can we obtain a certificate?
The procedure for requesting a certificate is the same for domestic or international requests. There may be an additional charge, however, if language translation is required. Please provide all your information in English. If not provided in English, you must have it translated in English at the direction of the certifying authority.

Is the use of RSA technology, secure web servers, and Thawte Digital IDs outside of the U.S. affected by U.S. export laws?
Thawte's product, consisting essentially of an authentication service for public keys but not the keys themselves, is unaffected by U.S. export regulations. Since MAIC's servers are in the United States, our international customers can obtain full encryption keys for their accounts hosted by MAIC.

I have more than one account on MAIC. Do I need more than one Digital ID?
Yes. Each account name must have a separate certificate. Only full domain web accounts are eligible to become a secure server.


Is there any way to speed up the process?
It would be impossible to provide the authentication implied by a certificate if we did not have the proper documentation and time to complete the process. Currently, the time period is minimum 5 working days. This process assumes that all required information is made available when requested.

What should I use as my common name?
The common name is the URL of the site on which you want to run SSL. This cannot be an IP address. The site name must be used because some SSL browsers compare the common name of the certificate to the DNS name of the site.


What is a Distinguished Name?
A Distinguished Name (DN) is a set of values that describes your country, state or province, city or town, organization, division within that organization and your web server domain name.

Here is an example of a DN for Thawte:
Common-name: secure.pa.net(the server's URL)
Organization: MAIC (the company to which the server is registered)
Organization Unit: Certificate Services (optional field)
Locality: Carlisle
State: Pennsylvania(make sure to spell the complete state name)
Country: US (make sure to use the correct iso-code)


What are examples of Organizational Information?
You will need to fax us a copy of your business registration. Examples are:

  • Articles of Incorporation
  • Partnership Papers
  • Business License
  • Fictitious Business License
  • Federal Tax ID

All of these documents must be submitted in English. If your documents are not in English you need to have them translated by an independent translation agency. These documents cannot be applications.

Who can be the Organizational Contact?
An employee of the organization who is authorized to sign binding company agreements.

How do I install my Digital ID?
If you are installing it on your own server, there should be instructions that came with your secure server regarding this. For example, here are instructions for the Apache web server.

My Secure Server Digital ID has been installed. Now, how do I change my existing Web site to make the transactions secure?
Once you have a Secure Server Digital ID and your users log into your web site using SSL, (https://... instead of http://...) all http (web) traffic will be secure. That includes all GET/POST operations that are submitted to CGI programs. If you have explicit URLs (for example, "http://www.yoursite.com/newpage.html") in your CGI programs or on web pages, make sure that they say "https" instead of "http". Also note that relative links (for example, /newpage.html) from secure pages will remain secure, and from insecure pages will remain insecure.



What happens when a key expires?
In order to guard against a long-term factoring attack, every key must have an expiration date after which it is no longer valid. The time to expiration must therefore be much shorter than the expected factoring time, or equivalently, the key length must be long enough to make the chances of factoring before expiration extremely small. The validity period for a key pair may also depend on the circumstances in which the key will be used, although there will also be a standard period. The validity period, together with the value of the key and the estimated strength of an expected attacker, then determines the appropriate key size.

The expiration date of a key accompanies the public key in a Digital ID or a directory listing. The signature verification program should check for expiration and should not accept a message signed with an expired key. This means that when one's own key expires, everything signed with it will no longer be considered valid. Where it is important that a signed document be considered valid for a longer period of time, the document should be time-stamped.

After expiration, the user chooses a new key, which should be longer than the old key, perhaps by several digits, to reflect both the performance increase of computer hardware and any recent improvements in factoring algorithms. Recommended key length schedules will likely be published. A user may recertify a key that has expired, if it is sufficiently long and has not been compromised. The Certificate Authority would then issue a new Digital ID for the same key, and all new signatures would point to the new Digital ID instead of the old. However, the fact that computer hardware continues to improve argues for replacing expired keys with new, longer keys every few years. Key replacement enables one to take advantage of the hardware improvements to increase the security of the cryptosystem. Faster hardware has the effect of increasing security, perhaps vastly, but only if key lengths are increased regularly.


How do I know what my Digital ID's serial number is?
Your Digital ID's serial number is displayed when you view your Digital ID in Netscape Navigator. To view your Digital ID:

Netscape Navigator Users:

  1. Select Security Preferences from the Options menu.
  2. Select the Personal Certificates tab.
  3. Select your Digital ID's nickname and then click the More Info button.

The serial number is displayed in the certificate information window


Problems:

Why was my electronic certificate request rejected?
The Distinguished Name you entered in the request may not meet our requirements. For a complete description of each field in the DN, and the required formats, read here.


©2001 cti | webdesign
All Rights Reserved