Extranet/E-Commerce: Acme Sales Corp - Netscape MANAGEMENT SYSTEM 4.5 Installation And Setup Manual

• The Registration Manager provides only a subset of the capabilities of the
Certificate Manager—those required for processing end-user requests. If the
Registration Manager is compromised, the Certificate Manager can revoke its
signing certificate (thus invalidating all subsequent requests from that
Registration Manager) and issue a new one after the problem has been
addressed.
Administrative and physical arrangements are closely related to firewall issues.
The flexibility of CMS deployment options makes it possible to divide functions
among existing administrative groups or physical locations, requiring minimal
disruption for an organization.
The examples that follow do not address the role of the Data Recovery Manager or
the potential use of multiple Registration Managers and Certificate Managers. For
example, in some circumstances it might make sense to have some Registration
Managers outside the firewall and some inside; in other cases different CMS
subsystems might be located in entirely different physical locations, each with their
own firewalls.
In general, Netscape recommends that the Certificate Manager handle all certificate
and CRL publishing functions. If it's necessary for some entries in a directory to be
available outside the firewall, Netscape recommends using the partial replication
feature of Directory Server to replicate the relevant portion of the directory.

Extranet/E-Commerce: Acme Sales Corp.

Acme Sales is a high-end mail-order catalog service that is launching an online
shopping service. Many of Acme's affluent customers make very expensive
purchases, so Acme has decided to use certificate-based authentication for its new
web site.
Acme has 100,000 existing customers and expects to attract many new customers
through its online service. The company wants to use its existing relational
database to authenticate and enroll existing customers with minimal effort on their
part. For new customers, Acme wants to establish a manual process entailing
out-of-band credit checks (that is, checks that don't involve an electronic network),
identity verification, and a personal phone call before an online certificate request
can be granted. In addition, Acme plans to issue certificates to contract workers,
suppliers, and employees who routinely access parts of the company's internal
network by using Kerberos.
Chapter 2 Certificate Enrollment and Life-Cycle Management
Some Enrollment Scenarios
85