Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 5 years ago.
Improve this question
I have a question related to PKI Infrastructure , should an organization go with Microsoft PKI or an independent separate PKI Infrastructure ? Is there any licensing restrictions if I user Microsoft PKI Infrastructure ? Or should I get an independent PKI infrastructure from a vendor that offer PKI TSA and SP(Signature Proof) Infrastructure.
Any PKI infrastructure you choose is bound to have it's up sides and it's downsides. I can tell you from experience that the Microsoft PKI products generally play pretty well with other Microsoft products but tend to have interoperability problems with other non-Microsoft products. Over time, my understanding is is that their oldest PKI products have gotten progressively more standards compliant, but they still have their quirks.
Time stamping authorities are useful if you have concerns about the replay of signed messages:
http://en.wikipedia.org/wiki/File:Trusted_timestamping.gif
But it means that every end entity will need to use that TSA when generating signatures.
If you're using your digital certificates for SSL, you won't need it, unique per-transaction proof of private key is part of the protocol. If you are doing web authentication, many authentication mechanisms will use either SSL client auth or do something to force the private key to sign a unique value to assure that there is no man in the middle attack.
I'm not quite sure what you mean by "Signature Proof". If you mean including a random, and unique value in every hash to avoid replay attacks, then the same advice as TSA applies. But I'm guessing here.
It will all come down to -- what are you using it for? how well does it need to perform? how do users and other systems need to interface with it?
Given that PKI is expensive, not matter how you slice it, you'll want to take some serious time thinking this one out. Between the cost of licenses, the cost of installation (manhours) and the cost of maintenance, it's a major commitment worth system level requirements development and design.
The question really comes down to the scope of use. If the PKI will only be used internally within your organization, then Microsoft's Certificate Services product provides a decent PKI platform. However, if you're certificates may be used externally -- customers, vendors, etc. -- then you probably want to investigate using a trusted third-party PKI provider like VeriSign, Cybertrust (Verizon Business), etc.
We run Microsoft CS internally and it works well, particularly since one of our primary use cases is auto-enrollment of certificates via Active Directory. It allows IIS, VPN clients, etc. to automatically get certificates issued to them on an as-needed basis.
It's not the most full-featured PKI product I've worked with. If you're looking for a really advanced feature set, then you should look at Red Hat's Certificate Services product. It's also open-sourced as the Dogtag PKI project.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 2 years ago.
Improve this question
I am working on a small web-app as a hobby, and I would like to avoid any functionality that would trigger GDPR requirements. As such, the web-app neither collects nor processes personal data, does not set cookies (or otherwise track individual users), and also does not integrate any services that do these things.
My question is, if I deploy this app on Heroku, does Heroku do anything behind the scenes (e.g., collecting IP addresses) that would then impose GDPR requirements on my web-app?
Another way to put this would be, is it possible to use Heroku and have GDPR not apply to your website? (without preventing traffic from EU countries)
The first thing to check is hosting location. When you create an app, Heroku allows you to select whether it's hosted in the US or Europe (though no more specifically than that – you just have to hope it doesn't include the UK!).
Next, because Heroku is a managed app service, it means that they get more access than a typical VM would have. You then need to read their privacy policy, which presents a problem: Heroku is owned by Salesforce.com, who have taken a belligerent Facebook-style head-in-sand denial approach to recent court verdicts in this doc. They say in there that the ECJ did not invalidate standards contractual clauses (SCCs), which is true, but not the end of the story. The ECJ said that while SCCs are valid as legal instruments, they can only be used to manage transfer between jurisdictions that uphold EU data protection and privacy standards (which, as far as the US is concerned, has been shot down with the collapse of Privacy Shield), and this is deemed to be the responsibility of the service in question to substantiate. So, what you then want to know is where is the detailed analysis of the US legal position and the audit of the US security services that Salesforce is required to conduct if the SCCs they are using are to be considered valid?
This is of course a rhetorical question: Salesforce has conducted no such audit, nor could they do so in sufficient detail, which then means of course that SCCs are not a valid mechanism for transfers between the EU and US for any service that Salesforce runs.
That said, their privacy policy is pretty large, and I recommend you read it, though they still make reference to the now-defunct Privacy Shield, and make some assertions that would concern me. I'd suggest finding out exactly what they do with data held in EU data centres, what they do with logging, and look harder at their third-party sharing, as that's often the biggest problem area.
This isn't really the place to go further into this, so I'd recommend you read their policies, and also read the GDPR (that's not the official source, but I find it's much more usable), or find a lawyer if you want a more precise analysis. The primary focus of GDPR is on the broad principles, not implementation details, so if something seems dodgy, creepy, or overreaching, it probably is.
I apologise if this has raised more questions than it's answered!
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
I have been doing webdesign for a small business in Denmark, which alrady have a deal with a larger company to create the final site.
Among this companys proposal, I see that they charge a rather large fee for installing Magento on my clients server, and an additional fee to integrate the design.
Same company forbids my client from having FTP or similar access to the server, and they are therefornot able to install this themselves.
My question is : is resale of the Magento really allowed by the licence? This company wants to charge a rather steep amout for even installing a blank version of it, no Magento-licencing included.
Ihave looked larger company up, and this company does NOT have a standing licence for Magento. And even if they got one, I have a sneeky feeling that something is legal/licence wrong here.
The reason I share this with you is that I have a guts feeling that I should raise some critical questions and suggest that My client uses another company for their webaite, but I need to be certain that Im on the right side.
The IT company has no partnership with Magento/Varien, and have a somewhat tarnished reputation already...
I have mailed Magento about this, but have not had any response yet.
Your question is not entirely clear. But a company can certainly charge for installing a licensed product on behalf of the licencee, this is just a consulting or service fee (unless the licence specifically prohibits a third party from doing this, which is possible (although unlikely) if a) source code is being exposed, or b) there are other commercial sensitivities such as NDAs. But then that is not your risk, it's the licensee's)
As for Ubuntu, a company can again charge for installing or maintaining an Ubuntu install, again this is consulting/service. In fact you can SELL a copy of Ubuntu too, if someone is willing to pay for it that is their perogative (and they in turn can sell it themselves). You just have to provide the source and the licence, not just a compiled binary in order to comply with the GPL.
I can understand the position of the 'large company' providing the managed hosting for the Magento build. However, I also understand your concerns.
Assuming that you are only working on the design, there is no reason why you cannot implement your design on localhost with the Magento 'demo store' products. You can then take your design along to the 'small company', get your designs signed off, archive the /skin/frontend/default/macguffin and /app/design/frontend/default/macguffin folders, hand them over to the company providing the 'managed hosting' and then collect your pay-cheque.
By not allowing you access via FTP the 'managed hosting' provider are ensuring that their clients have no third-parties able to access any-of-their-stuff. Furthermore, design is not that big a deal in a Magento build, there is also the payment gateway, the shipping setup, analytics and everything else that happens on go-live. They are also taking the responsibility of providing uptime, availability and the aforementioned security.
You and I know that you can do all of that on a virtual-private-server and get it done in a matter of days, with lots of testing but no client liaison meetings, office overheads to pay for, an expensive project manager to explain everything to, excessive time-sheeting to keep up to date and so on.
However, the 'small company' will have reservations on allowing someone other than the 'large company' doing all of that. Given that their web presence is pivotal to the success of their business, given that they may not have management resources, given the fear of the unknown, given a lack of in-house expertise, politically the solution they have arrived at can be considered as making business sense to them.
There is nothing wrong with the business arrangement from a legal/licensing point of view. From your point of view of getting the job done, you can do your design offline, i.e. on localhost, deliver the deliverables and collect your cheque.
If the deal with the 'large company' does not work out then, if your work is good, you will be well placed to take on the project, to charge 'freelancer' rather than 'agency' rates and build a long term relationship with the 'small company'. However, you are not there yet, your best bet is to forge a close working relationship with the 'small company' and the 'large company'. For all you know, the 'large company' may have other clients, and, if you work well with them (i.e. drop the suspicions and animosity-from-the-outset), then you will possibly get other design work from their other clients.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 4 years ago.
Improve this question
I work for a medium sized software company and have been put to the task of finding a new way of electronically distributing our software. We don't have a super fast connection to distribute it ourselves so it would need to be a solution that we can upload to and send out links to customers. The customers won't be purchasing our software from our website as we already do most of our sales from direct sales and partner sales. Since I joined the company we have grown from CD distribution sized downloads to DVD sized distribution downloads. We released a new version and find the YouSendIT Service to be clunky and 99% of our customers receive a link to download the software. We only send out a printed media if requested. Is there a service besides yousendit that allows for unlimited file size uploads/downloads. I have heard of drop.io and it seemed to be similar to yousendit. If you could please point me in the direction of Electronic software distribution system that is 3rd party hosted would be appreciated.
Thanks
Mike
You should look into Content Delivery Networks, such as Amazon CloudFront.
You might want to reconsider the way you are going about this.
If you software is open source, you should be using sourceforge. Otherwise you should just get a cheap hosting plan with lots of transfer bandwidth.
For example, godaddy has an unlimited account (unlimited transfer, unlimited space) for about $14.95 per month.
You point a sub domain i.e. download.rivageek.com to that server. This gives your users confidence when they download your application.
If they have to go to some ad laden 3rd party site they might think twice about giving you money. If you lose only 1 customer to that, it pays for itself (assuming you charge more than 14.95 for your product).
The fine print on many of those 3rd party sites mean they own whatever you upload as well.
If you'd like something that allows (simplisticly) secure one-time downloads, I've used filehosting.org in the past. They give you a hashed link to the software when you upload it, which you can then email to anybody you want to be able to download the file. If you want, you can set it to delete the file after one download.
In response to using your own domain for the downloads, it's possible to configure both Amazon S3 and CloudFront to use a custom domain name. Here are the instructions for S3 -- very straight forward:
http://docs.amazonwebservices.com/AmazonS3/latest/index.html?VirtualHosting.html
If emailing out a direct link to your distribution file (zip, etc.) is sufficient, I'd say go with one of these services -- they're very cost effective, reliable, and easy to set up.
You could use a filehosting service or get a regular web host with unlimited bandwidth just avoid Godaddy as its shared hosting is overcrowded and overbooked. (personal experience)
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I was brainstorming interesting usages of Twitter and came up with the following:
An application can use it as a call home mechanism
An application that has an invalid license could broadcast its location
A software company could use it as a remote shell like interface and issue commands to shutdown, restart and to publish patches
An application can use it for heartbeat purposes
Has anyone else came up with other non-standard usages of Twitter?
I fail to see the advantage of using a proprietary, third-party chat site in place of an appropriate networking protocol.
Matthew nailed the point that all these "applications" just represent a communications protocol between twitterer and remote host, and there are lots of mature protocols you could use instead right out of the box, rather than rolling your own on twitter.
But depending on your situation, of course there could be scenarios in which twitter is the easy way. I have written similar hacks that use e-mail as transport mechanism for automated tasks, simply because corporate red tape doesn't permit us other more conventional means. They can reboot machines, restart processes, post public messages, etc.
One of it is already available for Windows - "TweetMyPC v2.0 lets you shutdown/restart/LogOff and lots more in your windows PC.remotely."
I'm not sure this counts as a very practical use (a bit of fun mainly), but it certainly attracted my interest:
Twitter image encoding challenge
The idea of this challenge is to try to encode a picture into a 140 (Unicode) character Tweet. It's quite astounding how much information some of the algorithms posted there can fit into a message.
Scott Hanselman used Twitter to create an app for ordering a sandwich.
Check out his post
I think the main advantage of using twitter in instances like this is its SMS capabilities (and the fact they're free - whereas you can buy services that charge a monthly fee to allow you to receive SMS messages to a HTTP page or something like that).
I'd considered using it to make a little budget app for myself where I could SMS twitter things I'd bought to a private twitter account, similar for tracking petrol usage I was planning on smsing the odometer reading,cost etc in a certain format and capturing it at home to run statistics and stuff on it. There are limitations to it though - like you can only hook up an SMS number to 1 twitter account...
It's good to think outside the box, but don't be too focused on using just twitter because it's cool.
If you were comfortable setting up sensors and such, you could get a microcontroller, hook it up to a twitter feed, and then give it remote commands.
For instance, remote controlled house lights. You could then just tweet "Home lights on GXSDFXV" (The garbage at the end is to prevent real tweets from turning on and off your lights).
I wouldn't use Twitter in particular for transferring any private information (think about security if someone hacks the account and can shutdown your corporate servers or transfer fake licenses). For that I would setup a private server which implements the open microblogging protocol (like identi.ca) as long as - like others already said - there is another more suitable protocol.
For publishing PUBLIC information (heartbeat messages can be considered that, too) I like the idea pretty much. We recently had a very successfull (but unfortunately effectless) E-Petition in Germany where a Twitter account posted the number of signatures every couple of minutes.
Carsonified are using this to allow people to discover other people sitting in the same room at their conferences.
They label each chair with a tag and then you tweet that tag to an account they have and it registers you on a floorplan on the venue. Users are coloured in on the plan by their interests.
Clever but a bit overcomplicated for my tastes...
http://hello.carsonified.com/Home/Faq
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 7 years ago.
Improve this question
This is slightly off topic of programming but still has to do with my programming project. I'm writing an app that uses a custom proxy server. I would like to write the server in C# since it would be easier to write and maintain, but I am concerned about the licensing cost of Windows Server + CALS vs a Linux server (obviously, no CALS). There could potentially be many client sites with their own server and 200-500 users at each site.
The proxy will work similar to a content filter. Take returning web pages, process based on the content, and either return the webpage, or redirect to a page on another webserver. There will not be any use of SQL server, user authentication, etc.
Will I need Cals for this? If so, about how much would it cost to setup a Windows Server with proper licensing (per server, in USA)?
This really is an OT question. In any case, there is nothing easier than contacting your local MS distributor. As stackoverflow is by nature an international site, asking a question like that, where the answer is most likely to vary by location (MS license prices really are highly variable and country-specific) is in my opinion not likely to receive an useful answer.
I realize this isn't exactly answering your question but if you want to use Linux, maybe you want to look into using Mono. .Net on Linux.
If users will not be actually connecting to any MS server apps (such as Exchange, SQL Server, etc) and won't be using any OS features directly (i.e. connecting to UNC paths) then all that should be required is the server license for the machine to run the OS. You need Windows Server CALs when clients connect to shares, Exchange CALs for mail clients, and SQL Server CALs for apps that connect to your databases. If the clients of your server won't be connecting to anything but the ports offered by your service, you should be in the clear, and it shouldn't cost any more to build a server for 100 users than 10.
You may not need any CALs for users depending on how you use the server. Certain functionality requires the purchase of CALs but some doesn't. There's no real good way to answer this question since the requirements are too vague. Does it use domain services? Does it use SQL server? Clustering? There are many variables.
If you are looking at what the most you could possibly pay, go to CDW and look at the Open License/Open Business products to get an estimate.
Like said above, if you are using your own connections and nothing else on the server you wont need the cals.
I would Google the ROI on Linux vs Windows for a commercial server, I have no option generally on this, but I have seen that long term they level out, in the grand scheme of things the initial cost of the Windows license is actually minimal and insignificant.
Choose the best technology to solve the end users problem, document why, provide an evaluation report, include maintenance costs, development costs etc. When you do this the answer will be clear to you and your customer.
If your users are not connecting to any other windows resources (Active Directory, SQL Server, File Shares, etc) then you shouldn't need CALs but you I believe there is something like an external connector license. There's also a 'web edition' which looks like it's in the range of ~$400.
Also it looks like Microsoft will be removing the CAL restrictions on web servers completely in Windows Server 2008
Microsoft should call their licensing division Enigma...