MEovino@ESTES-EXPRESS.COM wrote: > > Sean (and anyone else who wants to answer), > > Thanks for this wonderful reference. I've been lurking on this thread and > waiting for someone to come through with something like this. Since I'm > guessing you've done this before, I have a couple of questions. > > In item 18 of the "Generate an Encryption Key and Customer Request Form" > section > (http://www.as400.ibm.com/tstudio/secure1/server/http/v4r4/chooseca.htm): > Do they want you to use your machine name or what you have in your DNS so > you can be found? You want www.estes-express.com there. The name on the certificate needs to match the DNS name. > And will authentication fail if someone tries to use just "estes-express.com"? No, it will not fail. The client will get a warning that the certificate name does not match the server name. They then get the choice to continue or not. I believe Verisign sells certificates that work at the domain name level with any host. > In item 8 of the "Enable SSL" section > (http://www.as400.ibm.com/tstudio/secure1/server/http/v4r4/conform2.htm): > Which option do I want to use if all I want is to make sure that data > transmitted back and forth from the user's browser to my server is > encrypted (for now this is all I need - may change in the future)? Looks > like it's "None" but I just want to make sure. None would be correct. This is asking for a client certificate which is only necessary if you want to authenticate the user instead of just encrypting the connection. > Also, if in the future I > want to require a successful handshake to get a certain URL, can I have an > environment where for some URL's client authentication is "None" and some > it's "Required"? How would I do this? I'm sure you can, but I haven't done it. > If I have separate test and production servers on separate boxes, do I need > to get two certificates, or can I use the same one on both boxes? If the test box is for your use and not for the public, it's possible. I think you need the server key as well as the certificate. I haven't tried it.... > Are any of you guys using encryption higher than 40 bit? I keep a copy of > 128 bit Netscape on my machine, but the only site I visit that uses it is > my broker's. I'm a little leery of using anything higher than 40 bit, as > most PC's ship with 40 bit IE, and users are generally not very happy when > you make them do things like upgrade their browsers. I love 128 bit encryption. The more the merrier! In general, a client will use a key as long as it supports. 128 bit just means the server ALLOWS up to 128 bit. It should still accept the first 40 from a client that doesn't support more (although I think the new standard has changed to 56 from 40.) IMHO, no-one should do any e-commerce or banking (as a customer) with less than 128 bit encryption. +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: firstname.lastname@example.org +---
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.