Скачать презентацию PKI Deployment Issues to Consider Dartmouth College PKI Скачать презентацию PKI Deployment Issues to Consider Dartmouth College PKI

bc7e8b2e11b8b1027cc46aaae7c4397f.ppt

  • Количество слайдов: 8

PKI Deployment Issues to Consider Dartmouth College PKI Lab PKI Deployment Issues to Consider Dartmouth College PKI Lab

Key Issues • • • Outsource vs. run your own CA? Private key protection Key Issues • • • Outsource vs. run your own CA? Private key protection for CA Escrow of private encryption keys? Publishing certificates Certificate Revocation Lists (CRLs) Policies and practices

Outsource vs. run your own CA? • Commercial vendors – Verisign, DST, Be. Trusted, Outsource vs. run your own CA? • Commercial vendors – Verisign, DST, Be. Trusted, Geo. Trust, etc. • Commercial CA software operated in-house – RSA, Netscape, Sun (discontinued) • Open source CA software operated in-house – Homegrown using open. SSL, Open. CA, Papyrus, Py. CA, Tiny. CA, etc. • • • Success stories with each of these Classic outsource versus in-house issues A secure CA is expensive to operate Tricky negotiating CA responsibilities and liabilities Possible higher education bulk purchase from one or more vendors?

Private key protection for CA • Compromised CA private key enables rogue certificates from Private key protection for CA • Compromised CA private key enables rogue certificates from unathorized CA. Need to reissue all compromised certificates from CA using a new private key! • Strategies: – Offline CA using sneakernet – “Nearline” CA using firewalls with pinholes, VPNs, etc. – CA hierarchies (lose subordinate key, only affect a portion of all certificates) – HSM to store private keys

Escrow of private encryption keys • Lost private key => encrypted data is lost Escrow of private encryption keys • Lost private key => encrypted data is lost – Users may effectively destroy critical data • Escrow is saving the private key to avoid such loss • Don’t want to escrow signing and authentication keys (hampers non-repudiation – users may claim someone used the escrowed copy for that signature) • Secure storage of keys and recovery procedures can be expensive • Users may need multiple certificates for signing and encryption – some applications don’t handle this well

Publishing certificates • For encryption, users need the recipient’s public certificate • How do Publishing certificates • For encryption, users need the recipient’s public certificate • How do they get it? – Received S/MIME email – Exchanged. cer or other format file – LDAP lookup (requires that the CA publish certificates to the directory)

Certificate Revocation Lists (CRLs) • End user certificates may be revoked: – – Compromised Certificate Revocation Lists (CRLs) • End user certificates may be revoked: – – Compromised private key Left institution Misbehaved Got newer certificate • Applications that care can check a list of revoked certificate serial numbers from the CA • Alternatives: – Online Certificate Status Protocol – Consult an authorization system after authentication

Policies and practices • Rules for how a CA operates and how users are Policies and practices • Rules for how a CA operates and how users are vetted when registering for certificates – Certificate Policy (CP): requirements for granting and managing PKI credentials – Certification Practices Statement (CPS): actual steps an institution takes to implement CP • Don’t get intimidated or bogged down making your CP/CPS perfect! Consider what you are replacing and get your feet wet… • http: //middleware. internet 2. edu/hepki-tag/pki-lite-policy-practices-current. html