Declaration Authorities - Commercial Options - PowerPoint PPT Presentation

certificate authorities commercial options l.
Skip this Video
Loading SlideShow in 5 Seconds..
Declaration Authorities - Commercial Options PowerPoint Presentation
Declaration Authorities - Commercial Options

play fullscreen
1 / 23
Download Presentation
aline-chapman
Views
Download Presentation

Declaration Authorities - Commercial Options

Presentation Transcript

  1. Certificate Authorities - Commercial Options Robert Brentrup Educause/Dartmouth PKI Summit July 26, 2005

  2. Current Commercial CA Products • Sun iPlanet / AOL-Netscape • => RedHat Certificate Server, LDAP • RSA Certificate Manager (formerly Keon) • Entrust Authority • CyberTrust Unicert • (formerly Betrusted) (formerly Baltimore) • Microsoft Certificate Services • Spyrus PKI System 6.0 • Oracle Application Server Certificate Authority

  3. Related Services and Products • CA Services • Verisign • Identrus/DST • Geotrust • Entrust • RSA • CyberTrust • OCSP • Corestreet • Computer Associates (CA)

  4. PKI Components • CA server • LDAP (or DAP) directory server • Database for CA records • RA function • Client/application software support

  5. Basic Requirements • Supported software (OS) and hardware • PKCS standards supported? • Interoperability with other PKIs • CA hardware key storage support • what FIPS 140-2 Level rating? • PKCS#11 and proprietary

  6. CA hardware key storage • nCipher • (FIPS Level 3) • Safenet • (FIPS Level 2, 3) • (Data Key and Rainbow Tech subsidiaries • (Rainbow Tech bought Chrysalis) • AEP Networks • Keyper (FIPS Level 4) • Spyrus • LYNK (PCMCIA, USB) • Fortezza (PCMCIA)

  7. Key Features 1 • Key sizes and types • at least 1024, >4096? RSA, DSA, Elliptic Curve • Dual key certificates? • Certificate profiles • prebuilt and customizable? • vendor key extensions? • Naming support: X.500, DC naming • LDAP chaining or referrals, X500, Active Directory • CRLs and/or OCSP

  8. Key Features 2 • RA functions: online or off-line, self service • User interface for CA and RA operators • Web Page or vendor software? • Key escrow and recovery • How much operator intervention required? • Record keeping (who has how many certs) and notifications (reminder of certs that need to be renewed) functionality

  9. Key Features 3 • Interoperability with applications • Browser SSL, secure mail, signed documents, VPN, 802.1x EAP/TLS • OS smart card signon (MS requires special OIDs) • Client interface: Web Browser or vendor software • CSPs for MS IE • Client key storage • OS key store, PKCS#12 files, Vendor software, hardware tokens and smartcards

  10. Key Features 4 • Issue server certificates • request types supported PKCS#10, CRMF. SPKAC(Netscape), PKIX CMP, SCEP • CA can be interconnected with other PKIs • can be signed by recognized root certificates • (some vendors own well known roots) • can cross certify

  11. Prices • In general a wide range, but decreasing • Models are either per seat or per certificate • per seat is important if your organization has a large turnover of individuals (like a graduating class) though the number of individuals may be relatively constant • Personal • $100 to $1 per seat • $70 to $7 per cert • Server $50 - $1000 • Other costs: annual maintenance or additional certificates

  12. Netscape-AOL-Sun-Redhat • (formerly iPlanet CMS) • uses SunOS or Windows • web browser client interface (inherently cross platform • RA can be adapted to self service model • Chrysalis, nCipher CA key storage • standard LDAP, uses LDAP for internal DB • Low cost per seat • RedHat Certificate Server: Open Source, runs on Linux too

  13. RSA Keon • Platform: Solaris 8-9 or Windows 2000-3 • Integrated LDAP certificate repository • Publishes to LDAP v2/v3 and X.500 Directories • Origin of PKCS standards • Up to 2048-bit keys for authentication • X.509 CRLs and CRLs with extensions • Unlimited sub-CA certificate chaining • RSA, DSA, ECDSA • FIPS 140-1 level 1 through 3 key security (via nCipher and/or other PKCS#11 devices)

  14. Entrust Authority • client software/keystore (windows only) • automatic key update, multiple key pairs per user • Attribute Authority • X.500 or LDAP, • Algorithm Support • RSA, DSA, ECDSA signing, DES, 3-DES, CAST, RC-2 Compatible, RC-4 Compatible, Elliptic Curve Cryptographic (ECC) signing, IDEA

  15. Entrust: Security Manager • Platforms: • Compaq Tru64 (Oracle database) • Microsoft® Windows NT® 4.0 (Informix database) • Microsoft® Windows® 2000 Server (Informix database) • Sun® Solaris® 7 and 8 (Informix or Oracle database) • HP® - UX® 11.0 (Informix database) • IBM® AIX® 4.3.3 (Informix database)

  16. CyberTrust • (formerly baltimore) • Solaris 8, Windows XP, Windows 2003 Server and Windows 2000 • Supports RSA (up to 4096 bits), DSA and Elliptic Curve DSA (ECDSA) key pairs • Active Directory and LDAPv3 publishing • OCSP, CRLs, Oracle DB

  17. Microsoft Certificate Services • Component of Windows 2003 server • (NT/2000 Certificate Server 1.0, 2.0) • Integrated with Active Directory and Windows CAPI (OS and IE) • Part of server site licensing (with AD) • Added more features with new versions

  18. Spyrus • Platform: Windows NT and 2000 • Uses IIS, IE, Exchange and SQL Server as some of its infrastructure components • Value-add Windows Server Certificate Services and Active Directory • Integrated with Active Directory and Windows CAPI • Attribute Authority for privilege management • Distributed RA • LYNK key hardware • End user smart token management • Windows smart card login support

  19. Dartmouth PKI Implementation: • Commercial CA Software (Sun/iPlanet) Sun 250 server • Single Online CA Server Hardware Key Storage Dedicated Firewall Publishes CRLs and provides OCSP • LDAP Directory Maintained from Institutional Systems SIS, HR, Sponsored Guests Automated Addition and Deletion • CA Publishes Certificates and CRLs to LDAP

  20. Dartmouth PKI RA • User Enrollment • Key Generation by Web Browser • Internet Explorer and Netscape/Mozilla • Cross platform • Software or Token Key and Certificate Storage • LDAP authorization, self-service for SW certs

  21. Dartmouth PKI Timeline • Planning late 2001 • Staffing Jan - April 2002 • HW/SW Acquisition began Feb 2002 • CA Installation began June 2002 • Test CA available Sept 2002 • Production CA available Jan 2003 • First Applications • Library Jun 2003, Banner Aug 2003

  22. Product Links • Netscape/AOL/iPlanet Certificate Server: http://www.redhat.com/software/rha/netscape • RSA Certificate Manager: http://www.rsasecurity.com/node.asp?id=1224 • Entrust Authority: http://www.entrust.com/pki-public-key-infrastructure/index.htm • Spyrus PKI System : http://www.spyrus.com/products/pki_system_architecture.html • Oracle Application Server Certificate Authority: http://www.oracle.com/technology/products/id_mgmt/oca/index.html • CyberTrust Unicert: http://www.cybertrust.com/offerings/products/unicert.html • Oracle Application Server Certificate Authority: http://www.oracle.com/technology/products/id_mgmt/oca/index.html

  23. Company Links • RSA: www.rsasecurity.com • Entrust: www.entrust.com • CyberTrust: www.cybertrust.com • Spyrus: www.spyrus.com • Microsoft: www.microsoft.com • Oracle: www.oracle.com • Computer Associates: www.ca.com • Verisign: www.verisign.com • Identrus/DST: www.digsigtrust.com/home.html • Geotrust: www.geotrust.com/