Re: IPsec and firewalls

[carson () tla org]

> > > > > "Adam" == Adam Shostack <adam () homeport org> writes:

Adam>   Regarding Carson's points about making your firewall a CA, I
Adam> think that for any company which has more than a few servers
Adam> internally, making the FW a Certification Authority is a mistake.  A
...
Adam>   I suspect that Carson knew this, and misspoke, hitting one of
Adam> my pet peeves. :) 

Nope. I said make it _a_ CA, not _the_ CA. A big difference. The only certs
it would be signing are the bogus ones required to spoof SSL. Your browser
has to trust it as a CA, so you should make sure it's hard to get at its
signing key, but nobody _outside_ your organization should trust it, and you
don't have to trust it for signing keys (if your client software is smart
enough).

"I see...you want to go to https:/www.blackhat.com/nukeme.exe...<fumble
fumble fumble> _I'm_ www.blackhat.com. _Really_ I am. You trust me, don't
you? <bat, bat, bat> Now let's see if that file passes my toxic waste
filters..."

-- 
Carson Gaspar -- carson () cs columbia edu carson () tla org carson () cugc org
http://www.cs.columbia.edu/~carson/home.html
Queen Trapped in a Butch Body