[3367] in WWW Security List Archive
RE: Entrust and Microsoft ISAPI
daemon@ATHENA.MIT.EDU (Hamilton, Ed @ OTT)
Thu Oct 24 12:02:33 1996
From: "Hamilton, Ed @ OTT" <ehamilt@lmcda.lmco.com>
To: "'WWW-Security Mailing List'" <www-security@ns2.rutgers.edu>
Cc: "''davek@healthmagic.com'" <davek@healthmagic.com>
Date: Thu, 24 Oct 96 09:53:00 EDT
Errors-To: owner-www-security@ns2.rutgers.edu
Hi Dave,
I am not sure how much I can help you, as I have used Entrust related
to www applications very little. However, this is what I know.
1. Microsoft and Nortel's Entrust were a pair at one time. I am not sure,
but I believe that Microsoft Exchange used technology from Entrust version
1.0. Maybe Microsoft can add something here.
2. Nortel did release a press statement indicating interest in Microsoft's
CAPI specification and their plan to support it, although when I talked to
Nortel representatives, it was not clear what "support" meant.
3. If you have Netscape version 3.0, you can go to Entrust's web site and
pick up a free demo Certificate. It can be found at
http://www.nortel.com/entrust. I am not sure if Microsoft's Internet
Explorer can be used for the demo Certificate, but it may be a good idea to
try it.
4. The www free demo Certificate should convince you somewhat that the
X.509 certificates are interoperable with the desired packages. If you know
any web sites that currently implement secure connections using X.509
certificates, then try connecting to them with the demo certificate.
5. I am not sure if you can actually use more than one security framework.
I think (in a perfect world) that Microsoft CAPI should sit on top of
Entrust and provide an obscurity of detail. My understanding of CAPI is
that it is a high level interface to cryptographic functions provided by any
cryptography product. All you have to do is replace the plumbing below the
CAPI with your cryptographic product (Entrust in this case). What this
should mean is that regardless of the cryptographic product, all calls and
manipulation of it's services should be identical.
I hope this will assist you in your quest for knowledge.
P.S. I have mailed this to the list and yourself because my email domain
name has changed and I am not sure if my posts are being accepted at the
list. Should you not get a copy of this from the list, you may want to
forward it to the list to obtain confirmation on my statements from other
members (specifically Microsoft).
--- Ed.Hamilton@lmco.com
From: "Dave K. Kythe" <davek@healthmagic.com>
Subject: Entrust and Microsoft ISAPI
----------------------------------------------------------------------------
--
We are thinking about using Nortel's Entrust in a web
application that would use Microsoft's ISAPI and IIS web
server. But how well does Entrust work with ISAPI?
Does anyone have experience with calling the Entrust
toolkit APIs from an ISAPI filter?
If we build the web app using a different API set than
Entrust's, how interoperable are X.509 certificates generated
by Nortel's Entrust CA product with applications developed on
a security framework like Microsoft's CryptoAPI? Are there
any major caveats with "mixing and matching" security products
of different vendors like Entrust and Microsoft?
Thanks!
Dave K. Kythe, Senior Architect
http://www.HealthMagic.com
phone: 803-748-9444 x107
email:davek@healthmagic.com
