Extranet/E-Commerce: Examplecorp - Netscape MANAGEMENT SYSTEM 6.0 Installation And Setup Manual

• The Registration Manager provides only a subset of the capabilities of the
Certificate Manager—those required for processing end-user requests. If the
Registration Manager is compromised, the Certificate Manager can revoke its
signing certificate (thus invalidating all subsequent requests from that
Registration Manager) and issue a new one after the problem has been
addressed.
Administrative and physical arrangements are closely related to firewall issues.
The flexibility of CMS deployment options makes it possible to divide functions
among existing administrative groups or physical locations, requiring minimal
disruption for an organization.
The examples that follow do not address the role of the Data Recovery Manager or
the potential use of multiple Registration Managers and Certificate Managers. For
example, in some circumstances it might make sense to have some Registration
Managers outside the firewall and some inside; in other cases different CMS
subsystems might be located in entirely different physical locations, each with their
own firewalls.
In general, Netscape recommends that the Certificate Manager handle all certificate
and CRL publishing functions. If it's necessary for some entries in a directory to be
available outside the firewall, Netscape recommends using the partial replication
feature of Directory Server to replicate the relevant portion of the directory.

Extranet/E-Commerce: ExampleCorp

ExampleCorp is a high-end mail-order catalog service that is launching an online
shopping service. Many of ExampleCorp's affluent customers make very
expensive purchases, so ExampleCorp has decided to use certificate-based
authentication for its new web site.
ExampleCorp has 100,000 existing customers and expects to attract many new
customers through its online service. The company wants to use its existing
relational database to authenticate and enroll existing customers with minimal
effort on their part. For new customers, ExampleCorp wants to establish a manual
process entailing out-of-band credit checks (that is, checks that don't involve an
electronic network), identity verification, and a personal phone call before an
online certificate request can be granted. In addition, ExampleCorp plans to issue
certificates to contract workers, suppliers, and employees who routinely access
parts of the company's internal network by using Kerberos.
Chapter 2 Certificate Enrollment and Life-Cycle Management
Some Enrollment Scenarios
85