PKI Deployment Issues to Consider Dartmouth College PKI Lab
Key Issues • • • Outsource vs. run your own CA? Private key protection for CA Escrow of private encryption keys? Publishing certificates Certificate Revocation Lists (CRLs) Policies and practices
Outsource vs. run your own CA? • Commercial vendors – Verisign, DST, Be. Trusted, Geo. Trust, etc. • Commercial CA software operated in-house – RSA, Netscape, Sun (discontinued) • Open source CA software operated in-house – Homegrown using open. SSL, Open. CA, Papyrus, Py. CA, Tiny. CA, etc. • • • Success stories with each of these Classic outsource versus in-house issues A secure CA is expensive to operate Tricky negotiating CA responsibilities and liabilities Possible higher education bulk purchase from one or more vendors?
Private key protection for CA • Compromised CA private key enables rogue certificates from unathorized CA. Need to reissue all compromised certificates from CA using a new private key! • Strategies: – Offline CA using sneakernet – “Nearline” CA using firewalls with pinholes, VPNs, etc. – CA hierarchies (lose subordinate key, only affect a portion of all certificates) – HSM to store private keys
Escrow of private encryption keys • Lost private key => encrypted data is lost – Users may effectively destroy critical data • Escrow is saving the private key to avoid such loss • Don’t want to escrow signing and authentication keys (hampers non-repudiation – users may claim someone used the escrowed copy for that signature) • Secure storage of keys and recovery procedures can be expensive • Users may need multiple certificates for signing and encryption – some applications don’t handle this well
Publishing certificates • For encryption, users need the recipient’s public certificate • How do they get it? – Received S/MIME email – Exchanged. cer or other format file – LDAP lookup (requires that the CA publish certificates to the directory)
Certificate Revocation Lists (CRLs) • End user certificates may be revoked: – – Compromised private key Left institution Misbehaved Got newer certificate • Applications that care can check a list of revoked certificate serial numbers from the CA • Alternatives: – Online Certificate Status Protocol – Consult an authorization system after authentication
Policies and practices • Rules for how a CA operates and how users are vetted when registering for certificates – Certificate Policy (CP): requirements for granting and managing PKI credentials – Certification Practices Statement (CPS): actual steps an institution takes to implement CP • Don’t get intimidated or bogged down making your CP/CPS perfect! Consider what you are replacing and get your feet wet… • http: //middleware. internet 2. edu/hepki-tag/pki-lite-policy-practices-current. html