I have a little experiance here in the IPSEC arena, and the company that I was previously workin for has decided to waste a heap of cash building a place to house a CA becuase of this initial IPSEC delve.
The basic problems - in the real world - that I see is that whilst PKI/X.509/LDAP are rattified IETF standards - the way that the CA vendors (Entrust, Verisign, Baltimore etc) build their CA's for use is way too commercial.
In Australia, we have a "set of rules" set up for Cert use with the government called "Gatekeeper". Gatekeeper is the baseline that CA whom propose to sell/sign cert's to the AU-Government *must* adhear to - such as physical security, IP security, On-Site security etc. (BTW: If you don't have "Gatekeeper" approval does NOT mean you can't sign keys! But that is another story relating to trust of the key provider)
None the less, the most difficult item that I see is that the CA vendors all do things differently for themselves. It is possible to build a CA with basic equipment and some basic software - pay an upstream trust for a CA cert and Bingo - you have a CA! Now, if you want to sign SSL certs - you have to buy the SSL module and (and with some configs - the extra client software).
If you want to use a cert to sign S/MIME - you buy another module - you want to encrypt files.. you buy another module and so on and so forth..
Basically - like Ethernet of the old days, whilst there is a BASIC idea of HOW PKI works and a framework for use - even the CA vendors havent got it "open platform". It is very hard to get unlike CA software to intracommunicate!
Oh.. yea - Australia Post (National postal network) built their own CA software - they *should* have had the best platform due to their unique nationwide RA possibility - but it died in the arse - they shouldn't have written their own software!
You would have to be mad to be all things to all men in this market! Dont build your own - buy someone elses!
My previous job involved this stuff - you should look into IPSEC - We had some kit from TimeStep/NewBridge/Alcatel called "Permit/Gate". They have a Hardware box (2 port Ethernet VPN Encryption Gateway) and a WIN95/98/NT client too. Some of my customers use to use OpenBSD but as IPSEC is "opensource" you could [should?] interoperate *most* IPSEC implementations, and aparently KAME/FreeSwan have been involved in the Bakeoffs for testing IPSEC too (all vendors are suppose to do this for interoperability testing). A pure TimeStep solution works a treat but I knew someone who used their WIN client with their OpenBSD for example to get WIN clients into the network. Sounds like this might be the GO for you!
Slashdot Mirror
I have a little experiance here in the IPSEC arena, and the company that I was previously workin for has decided to waste a heap of cash building a place to house a CA becuase of this initial IPSEC delve. The basic problems - in the real world - that I see is that whilst PKI/X.509/LDAP are rattified IETF standards - the way that the CA vendors (Entrust, Verisign, Baltimore etc) build their CA's for use is way too commercial. In Australia, we have a "set of rules" set up for Cert use with the government called "Gatekeeper". Gatekeeper is the baseline that CA whom propose to sell/sign cert's to the AU-Government *must* adhear to - such as physical security, IP security, On-Site security etc. (BTW: If you don't have "Gatekeeper" approval does NOT mean you can't sign keys! But that is another story relating to trust of the key provider) None the less, the most difficult item that I see is that the CA vendors all do things differently for themselves. It is possible to build a CA with basic equipment and some basic software - pay an upstream trust for a CA cert and Bingo - you have a CA! Now, if you want to sign SSL certs - you have to buy the SSL module and (and with some configs - the extra client software). If you want to use a cert to sign S/MIME - you buy another module - you want to encrypt files.. you buy another module and so on and so forth.. Basically - like Ethernet of the old days, whilst there is a BASIC idea of HOW PKI works and a framework for use - even the CA vendors havent got it "open platform". It is very hard to get unlike CA software to intracommunicate! Oh.. yea - Australia Post (National postal network) built their own CA software - they *should* have had the best platform due to their unique nationwide RA possibility - but it died in the arse - they shouldn't have written their own software! You would have to be mad to be all things to all men in this market! Dont build your own - buy someone elses!
My previous job involved this stuff - you should look into IPSEC - We had some kit from TimeStep/NewBridge/Alcatel called "Permit/Gate". They have a Hardware box (2 port Ethernet VPN Encryption Gateway) and a WIN95/98/NT client too. Some of my customers use to use OpenBSD but as IPSEC is "opensource" you could [should?] interoperate *most* IPSEC implementations, and aparently KAME/FreeSwan have been involved in the Bakeoffs for testing IPSEC too (all vendors are suppose to do this for interoperability testing). A pure TimeStep solution works a treat but I knew someone who used their WIN client with their OpenBSD for example to get WIN clients into the network. Sounds like this might be the GO for you!