454b1d200d7dc88bfa6305a944742d0b.ppt
- Количество слайдов: 23
Certificate Authorities Commercial Options Robert Brentrup Educause/Dartmouth PKI Summit July 26, 2005
Current Commercial CA Products • Sun i. Planet / AOL-Netscape – => Red. Hat Certificate Server, LDAP • RSA Certificate Manager (formerly Keon) • Entrust Authority • Cyber. Trust Unicert – (formerly Betrusted) (formerly Baltimore) • Microsoft Certificate Services • Spyrus PKI System 6. 0 • Oracle Application Server Certificate Authority
Related Services and Products • CA Services – – – Verisign Identrus/DST Geotrust Entrust RSA Cyber. Trust • OCSP – Corestreet – Computer Associates (CA)
PKI Components • • • CA server LDAP (or DAP) directory server Database for CA records RA function Client/application software support
Basic Requirements • • Supported software (OS) and hardware PKCS standards supported? Interoperability with other PKIs CA hardware key storage support – what FIPS 140 -2 Level rating? – PKCS#11 and proprietary
CA hardware key storage • n. Cipher – (FIPS Level 3) • Safenet – (FIPS Level 2, 3) – (Data Key and Rainbow Tech subsidiaries – (Rainbow Tech bought Chrysalis) • AEP Networks – Keyper (FIPS Level 4) • Spyrus – LYNK (PCMCIA, USB) – Fortezza (PCMCIA)
Key Features 1 • Key sizes and types – at least 1024, >4096? RSA, DSA, Elliptic Curve • Dual key certificates? • Certificate profiles – prebuilt and customizable? – vendor key extensions? • Naming support: X. 500, DC naming • LDAP chaining or referrals, X 500, Active Directory • CRLs and/or OCSP
Key Features 2 • RA functions: online or off-line, self service • User interface for CA and RA operators – Web Page or vendor software? • Key escrow and recovery – How much operator intervention required? • Record keeping (who has how many certs) and notifications (reminder of certs that need to be renewed) functionality
Key Features 3 • Interoperability with applications – Browser SSL, secure mail, signed documents, VPN, 802. 1 x EAP/TLS – OS smart card signon (MS requires special OIDs) • Client interface: Web Browser or vendor software – CSPs for MS IE • Client key storage – OS key store, PKCS#12 files, Vendor software, hardware tokens and smartcards
Key Features 4 • Issue server certificates – request types supported PKCS#10, CRMF. SPKAC(Netscape), PKIX CMP, SCEP • CA can be interconnected with other PKIs – can be signed by recognized root certificates • (some vendors own well known roots) – can cross certify
Prices • In general a wide range, but decreasing • Models are either per seat or per certificate – per seat is important if your organization has a large turnover of individuals (like a graduating class) though the number of individuals may be relatively constant • Personal – $100 to $1 per seat – $70 to $7 per cert • Server $50 - $1000 • Other costs: annual maintenance or additional certificates
Netscape-AOL-Sun-Redhat • (formerly i. Planet CMS) • uses Sun. OS or Windows • web browser client interface (inherently cross platform • RA can be adapted to self service model • Chrysalis, n. Cipher CA key storage • standard LDAP, uses LDAP for internal DB • Low cost per seat • Red. Hat Certificate Server: Open Source, runs on Linux too
RSA Keon • • • Platform: Solaris 8 -9 or Windows 2000 -3 Integrated LDAP certificate repository Publishes to LDAP v 2/v 3 and X. 500 Directories Origin of PKCS standards Up to 2048 -bit keys for authentication X. 509 CRLs and CRLs with extensions Unlimited sub-CA certificate chaining RSA, DSA, ECDSA FIPS 140 -1 level 1 through 3 key security (via n. Cipher and/or other PKCS#11 devices)
Entrust Authority • • • client software/keystore (windows only) automatic key update, multiple key pairs per user Attribute Authority X. 500 or LDAP, Algorithm Support – RSA, DSA, ECDSA signing, DES, 3 -DES, CAST, RC 2 Compatible, RC-4 Compatible, Elliptic Curve Cryptographic (ECC) signing, IDEA
Entrust: Security Manager • Platforms: – Compaq Tru 64 (Oracle database) – Microsoft® Windows NT® 4. 0 (Informix database) – Microsoft® Windows® 2000 Server (Informix database) – Sun® Solaris® 7 and 8 (Informix or Oracle database) – HP® - UX® 11. 0 (Informix database) – IBM® AIX® 4. 3. 3 (Informix database)
Cyber. Trust • (formerly baltimore) • Solaris 8, Windows XP, Windows 2003 Server and Windows 2000 • Supports RSA (up to 4096 bits), DSA and Elliptic Curve DSA (ECDSA) key pairs • Active Directory and LDAPv 3 publishing • OCSP, CRLs, Oracle DB
Microsoft Certificate Services • Component of Windows 2003 server – (NT/2000 Certificate Server 1. 0, 2. 0) • Integrated with Active Directory and Windows CAPI (OS and IE) • Part of server site licensing (with AD) • Added more features with new versions
Spyrus • Platform: Windows NT and 2000 – Uses IIS, IE, Exchange and SQL Server as some of its infrastructure components • Value-add Windows Server Certificate Services and Active Directory • Integrated with Active Directory and Windows CAPI • Attribute Authority for privilege management • Distributed RA • LYNK key hardware • End user smart token management • Windows smart card login support
Dartmouth PKI Implementation: • Commercial CA Software (Sun/i. Planet) Sun 250 server • Single Online CA Server Hardware Key Storage Dedicated Firewall Publishes CRLs and provides OCSP • LDAP Directory Maintained from Institutional Systems SIS, HR, Sponsored Guests Automated Addition and Deletion • CA Publishes Certificates and CRLs to LDAP
Dartmouth PKI RA • User Enrollment • Key Generation by Web Browser – Internet Explorer and Netscape/Mozilla – Cross platform • Software or Token Key and Certificate Storage • LDAP authorization, self-service for SW certs
Dartmouth PKI Timeline • • Planning late 2001 Staffing Jan - April 2002 HW/SW Acquisition began Feb 2002 CA Installation began June 2002 Test CA available Sept 2002 Production CA available Jan 2003 First Applications – Library Jun 2003, Banner Aug 2003
Product Links • Netscape/AOL/i. Planet Certificate Server: http: //www. redhat. com/software/rha/netscape • RSA Certificate Manager: http: //www. rsasecurity. com/node. asp? id=1224 • Entrust Authority: http: //www. entrust. com/pki-public-keyinfrastructure/index. htm • Spyrus PKI System : http: //www. spyrus. com/products/pki_system_architecture. html • Oracle Application Server Certificate Authority: http: //www. oracle. com/technology/products/id_mgmt/oca/index. html • Cyber. Trust Unicert: http: //www. cybertrust. com/offerings/products/unicert. html • Oracle Application Server Certificate Authority: http: //www. oracle. com/technology/products/id_mgmt/oca/index. html
Company Links • • • RSA: www. rsasecurity. com Entrust: www. entrust. com Cyber. Trust: www. cybertrust. com Spyrus: www. spyrus. com Microsoft: www. microsoft. com Oracle: www. oracle. com Computer Associates: www. ca. com Verisign: www. verisign. com Identrus/DST: www. digsigtrust. com/home. html Geotrust: www. geotrust. com/
454b1d200d7dc88bfa6305a944742d0b.ppt