Slashdot Mirror
Does Your Company Use a PKI Solution?
punkrokk asks: "I am doing an Independent study of the feasibility of a Microsoft Certificate Services PKI in a distributed company. So far, it appears from my research that MS has the best supported implementation of a X.509 based PKI solution, for the Windows environment. While there are a few major weaknesses in a X.509 Public Key Infrastructure, one of which being Certificate Revocation Lists, using one is better than nothing. You do get a tangible security benefit, in addition to doing switch port authentication, and VPN quarantines. The problem is the cost of implementation is pretty steep, from the planning side. What do you guys do for dual factor authentication? Has anyone had Verisign sign their Certificate Authority? If you have implemented a MS Certificate Service infrastructure, I would appreciate your comments."
For some internal (non user-facing) things I have used a self signed cert; for example when prototyping cosign (web single sign on).
In the past we have rolled out a CA signed by CREN. This was a pretty small rollout and used for just Shibboleth, S/MIME, Web Auth, and some limited classroom work using handheld devices. At this point we are using mostly Thawte Freemail for S/MIME and CACERT for S/MIME, PDF signing, 802.1x, and a odd series of other tests/work.
This is less than ideal since we end up beholden to corporate groups, but there is something good on the horizon, USHER Usher is a higher ED CA being put together by Internet2 which will be cross certified with the Federal CA bridge. Basically what CREN was supposed to be, only with more backing and interest.
The nice thing about it is that we will get a signing cert to use at will rather than paying someone like Verisign per certificate which is not gonna happen with 138,000 users, especially if we wish to do any kind of PKI-LITE setup (where short term "junk certs" are issued on demand eliminating the need for a CRL which nobody has figured out how to do right yet).
I have used OpenSSL to set up Certificate Authorities for military testbeds prior to, and coinciding with, their own PKI rollout. There is no cost associated with its use and once you learn how to use it, it is very easy to use. OpenSSL creates and signs standard X.509 certificates that work with any browser, webserver, or email program that utilize such certificates. You can set up CRLs and such easily as well.
OpenSSL is very powerful and useful. I have used it for many of its encryption routines (such as locking up my pr0n collection while I am in the Middle East!).
strike
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
Disclosure: I'm the Principal Engineer for Red Hat Certificate System. (Previously known as Netscape Certificate Management System).
Our product is fairly widely deployed. For example, every single one of the 18+ million Certificates issued from the US Dept of Defense CAC (smartcard) deployment use our Certificate Authority. There are many other deployments within the Federal government also.
In addition, someone mentioned Geotrust. Geotrust built their certificate issuance service on top our certificate authority, so of course I think very highly of them.
Our product is an enterprise-class (meaning hugely scalable, and fault tolerant), full featured, mature product, written by engineers with many years experience in the PKI field.
But, I would like to turn the question around - If you haven't deployed a PKI yet, what is stopping you?
As an example, one of the deployment-blockers we found in the past few years was the poor integration PKI management systems (Certificate Authorities) had with Smartcard Management Systems. So, we engineered a smartcard management system, and bundled into the Certificate System at no extra cost.
What applications would people like to see PKI-enabled that aren't already?
And since I'm a Red Hat employee now, I am constantly thinking about integration with Red Hat Enterprise Linux and Fedora - so, what changes would you want to see happen?
I honestly think that, after 20 years of PKI "about-to-take-off" that the tipping point isn't going to come from corporations: It's is going to come from customers, most likely of Paypal or Ebay or CitiBank or Bank of America or Walmart or CVS or Postal Service or whomever (RadioShack?).
What will drive this will be developing and promoting a decent public PKI system. "Stop by the Customer Service Counter with enough ID and someone (with a bit of training) will certify you for a "Trusted Customer Card & Code" today!"
Then all of the good things that folks promise about PKI can be told/sold to J. Random Customer, and it'll be cheaper then a toaster and as valuable as their customer affinity card.
As a marketing tool it'll be high profile, moderately high contact, and likely with enormous retention. Sure there's an educational aspect but the press can handle that, every article will just bring that much more brand-awareness. Wanna verify my online whatever? I use Brand A!
Roll out a free plugin for the top 5 email clients and the lead will be impressive. It's techie, it's "smart", it'll be like recycling without having to deal with material objects.
Sorry, I know it all seems implausable, but when public PKI gets going I think it'll be bigger then "search" & "portals" and a lot "stickier".
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
We need PKI at my company, but there's a big problem.
The people who would be responsible for keys, can just barely handle email.
I know I'm not alone, and I know I'm not the only lone admin who would have to be responsible for put such a system in place, and have to hold hands & train users.
I have researched my eyes out.