Some Enrollment ScenariosChapter 2 Certificate Enrollment and Life-Cycle Management 85• The Registration Manager provides only a subset of the capabilities of theCertificate Manager—those required for processing end-user requests. If theRegistration Manager is compromised, the Certificate Manager can revoke itssigning certificate (thus invalidating all subsequent requests from thatRegistration Manager) and issue a new one after the problem has beenaddressed.Administrative and physical arrangements are closely related to firewall issues.The flexibility of CMS deployment options makes it possible to divide functionsamong existing administrative groups or physical locations, requiring minimaldisruption for an organization.The examples that follow do not address the role of the Data Recovery Manager orthe potential use of multiple Registration Managers and Certificate Managers. Forexample, in some circumstances it might make sense to have some RegistrationManagers outside the firewall and some inside; in other cases different CMSsubsystems might be located in entirely different physical locations, each with theirown firewalls.In general, Netscape recommends that the Certificate Manager handle all certificateand CRL publishing functions. If it’s necessary for some entries in a directory to beavailable outside the firewall, Netscape recommends using the partial replicationfeature of Directory Server to replicate the relevant portion of the directory.Extranet/E-Commerce: Acme Sales Corp.Acme Sales is a high-end mail-order catalog service that is launching an onlineshopping service. Many of Acme’s affluent customers make very expensivepurchases, so Acme has decided to use certificate-based authentication for its newweb site.Acme has 100,000 existing customers and expects to attract many new customersthrough its online service. The company wants to use its existing relationaldatabase to authenticate and enroll existing customers with minimal effort on theirpart. For new customers, Acme wants to establish a manual process entailingout-of-band credit checks (that is, checks that don’t involve an electronic network),identity verification, and a personal phone call before an online certificate requestcan be granted. In addition, Acme plans to issue certificates to contract workers,suppliers, and employees who routinely access parts of the company’s internalnetwork by using Kerberos.