Try OpenEdge Now
skip to main content
Core Business Services - Security and Auditing
Security : Secure Sockets Layer (SSL) : Support for trust
 

Support for trust

By implication, SSL supports a trust model required to establish trusted SSL server identities that is consistent with the PKI X.509 standard, and it advises due caution in the choice of root CAs for this purpose. In particular, SSL relies on the X.509 public-key certificates as authorized by root CAs and relies on the Digital Signature Standard (DSS) to assure SSL client and server authentication.
SSL also strongly suggests that any SSL implementation support certificate revocation messages and means for choosing a trusted root CA to authorize digital certificates, but does not directly specify how to do so. It also suggests that means be provided to view information about digital certificates and root CAs.
Note: OpenEdge does provide key and certificate management tools. For more information, see the sections on managing OpenEdge key and certificate stores in OpenEdge Getting Started: Installation and Configuration.
As stated in The SSL Protocol Version 3.0 specification (see SSL standards support in OpenEdge), the "F.3 Final notes" section: "The system is only as strong as the weakest key exchange and authentication algorithm supported, and only trustworthy cryptographic functions should be used. Short public keys, 40-bit bulk encryption keys, and anonymous servers should be used with great caution. Implementations and users must be careful when deciding which certificates and certificate authorities are acceptable; a dishonest certificate authority can do tremendous damage."