Re: Securing isqlplus

Daniel Morgan <damorgan_at_exxesolutions.com> wrote in message news:<3ECABB1B.166F5728_at_exxesolutions.com>...

> You also said that after purchasing Oracle software one must separately negotiate the purchase
> of a certificate from a CA company. Which I translate into meaning that you are selling an
> insecure product in the same way that IBM's DB/2 requires Tivoli or similar third-party
> products.

You seem to be suggesting that Oracle bundle a product that: - costs between $250 and $1000 depending on the CA and features - requires verification that the applicant has the authorization of the company and provides contact information for the company - adds at least a $100 surcharge for rush-order certifications (i.e. 24 hours)

I suppose Oracle could provide a bundle "Oracle 9i with SSL secure certificate" where Oracle can act as a middle-man to buy your certificate for you, but this seems a bit much. I really doubt IT security departments would want to buy their company's certificate from their database vendor. Most companies with production web servers, even small ones, will already own a certificate.

This goes beyond Oracle. By your argument, all web server companies are effectively selling insecure products, because none of them are bundled with certificates. We're not talking about securing iSQL*Plus, we're talking about securing a web server, which can potentially serve much more than iSQL*Plus. This is fundamentally the structure of the secure certificate industry -- the CA is a company that you have to contact directly. It's a hassle, but most secure things are. :)

The free alternative is to generate your own certificate that's not signed by a well-known CA, i.e. your company becomes its own CA. This can work, but would require installing the certificate on all web browsers that access iSQL*Plus -- making it a workable solution for intranet clients, not internet clients.

Anyway, just my opinion
Stu Received on Wed May 21 2003 - 08:45:07 CDT