views:

38

answers:

2

I have a question related to PKI Infrastructure , should an organization go with Microsoft PKI or an independent separate PKI Infrastructure ? Is there any licensing restrictions if I user Microsoft PKI Infrastructure ? Or should I get an independent PKI infrastructure from a vendor that offer PKI TSA and SP(Signature Proof) Infrastructure.

+1  A: 

Any PKI infrastructure you choose is bound to have it's up sides and it's downsides. I can tell you from experience that the Microsoft PKI products generally play pretty well with other Microsoft products but tend to have interoperability problems with other non-Microsoft products. Over time, my understanding is is that their oldest PKI products have gotten progressively more standards compliant, but they still have their quirks.

Time stamping authorities are useful if you have concerns about the replay of signed messages:

http://en.wikipedia.org/wiki/File:Trusted_timestamping.gif

But it means that every end entity will need to use that TSA when generating signatures.

If you're using your digital certificates for SSL, you won't need it, unique per-transaction proof of private key is part of the protocol. If you are doing web authentication, many authentication mechanisms will use either SSL client auth or do something to force the private key to sign a unique value to assure that there is no man in the middle attack.

I'm not quite sure what you mean by "Signature Proof". If you mean including a random, and unique value in every hash to avoid replay attacks, then the same advice as TSA applies. But I'm guessing here.

It will all come down to -- what are you using it for? how well does it need to perform? how do users and other systems need to interface with it?

Given that PKI is expensive, not matter how you slice it, you'll want to take some serious time thinking this one out. Between the cost of licenses, the cost of installation (manhours) and the cost of maintenance, it's a major commitment worth system level requirements development and design.

bethlakshmi
What I mean by signature proof is signature verification mechanisms, say in case I sign a pdf
abmv
What level of signature verification would be required for your system? A simple signature verficiation (is the signature good, and is the signer coming from a trusted CA?) is generally done by the receiver with a client app. A PKIX compliant verification (full OCSP verification of certificate chain) will require a bigger PKI infrastructure. If you are protecting from outsiders - the first is probably good enough. If you are concerned about insider threat, the PKIX checks are important. That's a rule of thumb, though, not a final recommendation.
bethlakshmi
Also with reference to Microsoft, does it have a set of services ? to verfiy against the cerfificate and what about Revocation Lists etc ? Is there a set of service ? Or should I call .net namespaces ?
abmv
A: 

The question really comes down to the scope of use. If the PKI will only be used internally within your organization, then Microsoft's Certificate Services product provides a decent PKI platform. However, if you're certificates may be used externally -- customers, vendors, etc. -- then you probably want to investigate using a trusted third-party PKI provider like VeriSign, Cybertrust (Verizon Business), etc.

We run Microsoft CS internally and it works well, particularly since one of our primary use cases is auto-enrollment of certificates via Active Directory. It allows IIS, VPN clients, etc. to automatically get certificates issued to them on an as-needed basis.

It's not the most full-featured PKI product I've worked with. If you're looking for a really advanced feature set, then you should look at Red Hat's Certificate Services product. It's also open-sourced as the Dogtag PKI project.

Shadowman

related questions