1 Reply Latest reply: Apr 5, 2011 5:08 PM by JRJADOBE RSS

    FAXS configuration for CDN

    elauris2011

      What is Adobe's best practices recommendation for FAXS configuration that needs to support multiple customers, such as e.g. in the context of a CDN ?  Specifically, the assumptions are:

       

      1. All customers are happy to outsource to the CDN the signing of  their certs, packaging  their content and serving licenses for it.

      2. There may be overlapping set of end-users among these customers

      3. It should never be possible for an end-user and anyone else associated with one customer to somehow use their cert  to decrypt the content of another customer

       

      Under these assumptions, is it still advisable for the CDN  to use a single set of certificates to package all customers' content and to serve license from single-tenant configuration ?  Or is better to use separate set of certs for each customer and to map each one to a different tenant on the license server ? Bear in mind that the latter configuration is more complex in terms of managing and configuring multiple certs in the system.

       

      Any recommendations will be very much appreciated

       

      Eli

        • 1. Re: FAXS configuration for CDN
          JRJADOBE Adobe Employee

          If a licensee is managing a multi-tenant installation it is acceptable for those tenants to share a single set of production certificates (License, transport, and packager) managed by the host/licensee. (The host/licensee is still beholden to the Highly Confidential Information handling terms in the compliance and robustness rules.) The ability of a client to decrypt content would be gated by license issuance and the business rules that control it.

           

          However, in this scenario no key material can be shared with the customer. In cases where the customer wishes to package their own content they will need their own set of certificates. Also, keep in mind that some customers who are licensing premium content may have explicit statements in their content licensing agreements which would preclude the use of a single set of credentials managed by a host-- in these instances you would need to issue customer-specific set of certificates to meet that contractual obligation.

           

          Does this answer your question?

           

             --- Joseph R. Jones

                 Sr. Product Manager

                 Adobe Systems