1 / 8

PKI Deployment Issues to Consider

PKI Deployment Issues to Consider. Dartmouth College PKI Lab. Key Issues. Outsource vs. run your own CA? Private key protection for CA Escrow of private encryption keys? Publishing certificates Certificate Revocation Lists (CRLs) Policies and practices. Outsource vs. run your own CA?.

vui
Download Presentation

PKI Deployment Issues to Consider

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. PKI Deployment Issues to Consider Dartmouth College PKI Lab

  2. Key Issues • Outsource vs. run your own CA? • Private key protection for CA • Escrow of private encryption keys? • Publishing certificates • Certificate Revocation Lists (CRLs) • Policies and practices

  3. Outsource vs. run your own CA? • Commercial vendors • Verisign, DST, BeTrusted, GeoTrust, etc. • Commercial CA software operated in-house • RSA, Netscape, Sun (discontinued) • Open source CA software operated in-house • Homegrown using openSSL, OpenCA, Papyrus, PyCA, TinyCA, etc. • Success stories with each of these • Classic outsource versus in-house issues • A secure CA is expensive to operate • Tricky negotiating CA responsibilities and liabilities • Possible higher education bulk purchase from one or more vendors?

  4. Private key protection for CA • Compromised CA private key enables rogue certificates from unathorized CA. Need to reissue all compromised certificates from CA using a new private key! • Strategies: • Offline CA using sneakernet • “Nearline” CA using firewalls with pinholes, VPNs, etc. • CA hierarchies (lose subordinate key, only affect a portion of all certificates) • HSM to store private keys

  5. Escrow of private encryption keys • Lost private key => encrypted data is lost • Users may effectively destroy critical data • Escrow is saving the private key to avoid such loss • Don’t want to escrow signing and authentication keys (hampers non-repudiation – users may claim someone used the escrowed copy for that signature) • Secure storage of keys and recovery procedures can be expensive • Users may need multiple certificates for signing and encryption – some applications don’t handle this well

  6. Publishing certificates • For encryption, users need the recipient’s public certificate • How do they get it? • Received S/MIME email • Exchanged .cer or other format file • LDAP lookup (requires that the CA publish certificates to the directory)

  7. Certificate Revocation Lists (CRLs) • End user certificates may be revoked: • Compromised private key • Left institution • Misbehaved • Got newer certificate • Applications that care can check a list of revoked certificate serial numbers from the CA • Alternatives: • Online Certificate Status Protocol • Consult an authorization system after authentication

  8. Policies and practices • Rules for how a CA operates and how users are vetted when registering for certificates • Certificate Policy (CP): requirements for granting and managing PKI credentials • Certification Practices Statement (CPS): actual steps an institution takes to implement CP • Don’t get intimidated or bogged down making your CP/CPS perfect! Consider what you are replacing and get your feet wet… • http://middleware.internet2.edu/hepki-tag/pki-lite/pki-lite-policy-practices-current.html

More Related