1 / 23

Certificate Authorities - Commercial Options

Certificate Authorities - Commercial Options. Robert Brentrup Educause/Dartmouth PKI Summit July 26, 2005. Current Commercial CA Products. Sun iPlanet / AOL-Netscape => RedHat Certificate Server, LDAP RSA Certificate Manager (formerly Keon) Entrust Authority CyberTrust Unicert

Lucy
Download Presentation

Certificate Authorities - Commercial Options

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Certificate Authorities - Commercial Options Robert Brentrup Educause/Dartmouth PKI Summit July 26, 2005

  2. Current Commercial CA Products • Sun iPlanet / AOL-Netscape • => RedHat Certificate Server, LDAP • RSA Certificate Manager (formerly Keon) • Entrust Authority • CyberTrust Unicert • (formerly Betrusted) (formerly Baltimore) • Microsoft Certificate Services • Spyrus PKI System 6.0 • Oracle Application Server Certificate Authority

  3. Related Services and Products • CA Services • Verisign • Identrus/DST • Geotrust • Entrust • RSA • CyberTrust • OCSP • Corestreet • Computer Associates (CA)

  4. PKI Components • CA server • LDAP (or DAP) directory server • Database for CA records • RA function • Client/application software support

  5. Basic Requirements • Supported software (OS) and hardware • PKCS standards supported? • Interoperability with other PKIs • CA hardware key storage support • what FIPS 140-2 Level rating? • PKCS#11 and proprietary

  6. CA hardware key storage • nCipher • (FIPS Level 3) • Safenet • (FIPS Level 2, 3) • (Data Key and Rainbow Tech subsidiaries • (Rainbow Tech bought Chrysalis) • AEP Networks • Keyper (FIPS Level 4) • Spyrus • LYNK (PCMCIA, USB) • Fortezza (PCMCIA)

  7. Key Features 1 • Key sizes and types • at least 1024, >4096? RSA, DSA, Elliptic Curve • Dual key certificates? • Certificate profiles • prebuilt and customizable? • vendor key extensions? • Naming support: X.500, DC naming • LDAP chaining or referrals, X500, Active Directory • CRLs and/or OCSP

  8. Key Features 2 • RA functions: online or off-line, self service • User interface for CA and RA operators • Web Page or vendor software? • Key escrow and recovery • How much operator intervention required? • Record keeping (who has how many certs) and notifications (reminder of certs that need to be renewed) functionality

  9. Key Features 3 • Interoperability with applications • Browser SSL, secure mail, signed documents, VPN, 802.1x EAP/TLS • OS smart card signon (MS requires special OIDs) • Client interface: Web Browser or vendor software • CSPs for MS IE • Client key storage • OS key store, PKCS#12 files, Vendor software, hardware tokens and smartcards

  10. Key Features 4 • Issue server certificates • request types supported PKCS#10, CRMF. SPKAC(Netscape), PKIX CMP, SCEP • CA can be interconnected with other PKIs • can be signed by recognized root certificates • (some vendors own well known roots) • can cross certify

  11. Prices • In general a wide range, but decreasing • Models are either per seat or per certificate • per seat is important if your organization has a large turnover of individuals (like a graduating class) though the number of individuals may be relatively constant • Personal • $100 to $1 per seat • $70 to $7 per cert • Server $50 - $1000 • Other costs: annual maintenance or additional certificates

  12. Netscape-AOL-Sun-Redhat • (formerly iPlanet CMS) • uses SunOS or Windows • web browser client interface (inherently cross platform • RA can be adapted to self service model • Chrysalis, nCipher CA key storage • standard LDAP, uses LDAP for internal DB • Low cost per seat • RedHat Certificate Server: Open Source, runs on Linux too

  13. RSA Keon • Platform: Solaris 8-9 or Windows 2000-3 • Integrated LDAP certificate repository • Publishes to LDAP v2/v3 and X.500 Directories • Origin of PKCS standards • Up to 2048-bit keys for authentication • X.509 CRLs and CRLs with extensions • Unlimited sub-CA certificate chaining • RSA, DSA, ECDSA • FIPS 140-1 level 1 through 3 key security (via nCipher and/or other PKCS#11 devices)

  14. Entrust Authority • client software/keystore (windows only) • automatic key update, multiple key pairs per user • Attribute Authority • X.500 or LDAP, • Algorithm Support • RSA, DSA, ECDSA signing, DES, 3-DES, CAST, RC-2 Compatible, RC-4 Compatible, Elliptic Curve Cryptographic (ECC) signing, IDEA

  15. Entrust: Security Manager • Platforms: • Compaq Tru64 (Oracle database) • Microsoft® Windows NT® 4.0 (Informix database) • Microsoft® Windows® 2000 Server (Informix database) • Sun® Solaris® 7 and 8 (Informix or Oracle database) • HP® - UX® 11.0 (Informix database) • IBM® AIX® 4.3.3 (Informix database)

  16. CyberTrust • (formerly baltimore) • Solaris 8, Windows XP, Windows 2003 Server and Windows 2000 • Supports RSA (up to 4096 bits), DSA and Elliptic Curve DSA (ECDSA) key pairs • Active Directory and LDAPv3 publishing • OCSP, CRLs, Oracle DB

  17. Microsoft Certificate Services • Component of Windows 2003 server • (NT/2000 Certificate Server 1.0, 2.0) • Integrated with Active Directory and Windows CAPI (OS and IE) • Part of server site licensing (with AD) • Added more features with new versions

  18. Spyrus • Platform: Windows NT and 2000 • Uses IIS, IE, Exchange and SQL Server as some of its infrastructure components • Value-add Windows Server Certificate Services and Active Directory • Integrated with Active Directory and Windows CAPI • Attribute Authority for privilege management • Distributed RA • LYNK key hardware • End user smart token management • Windows smart card login support

  19. Dartmouth PKI Implementation: • Commercial CA Software (Sun/iPlanet) Sun 250 server • Single Online CA Server Hardware Key Storage Dedicated Firewall Publishes CRLs and provides OCSP • LDAP Directory Maintained from Institutional Systems SIS, HR, Sponsored Guests Automated Addition and Deletion • CA Publishes Certificates and CRLs to LDAP

  20. Dartmouth PKI RA • User Enrollment • Key Generation by Web Browser • Internet Explorer and Netscape/Mozilla • Cross platform • Software or Token Key and Certificate Storage • LDAP authorization, self-service for SW certs

  21. Dartmouth PKI Timeline • Planning late 2001 • Staffing Jan - April 2002 • HW/SW Acquisition began Feb 2002 • CA Installation began June 2002 • Test CA available Sept 2002 • Production CA available Jan 2003 • First Applications • Library Jun 2003, Banner Aug 2003

  22. Product Links • Netscape/AOL/iPlanet Certificate Server: http://www.redhat.com/software/rha/netscape • RSA Certificate Manager: http://www.rsasecurity.com/node.asp?id=1224 • Entrust Authority: http://www.entrust.com/pki-public-key-infrastructure/index.htm • Spyrus PKI System : http://www.spyrus.com/products/pki_system_architecture.html • Oracle Application Server Certificate Authority: http://www.oracle.com/technology/products/id_mgmt/oca/index.html • CyberTrust Unicert: http://www.cybertrust.com/offerings/products/unicert.html • Oracle Application Server Certificate Authority: http://www.oracle.com/technology/products/id_mgmt/oca/index.html

  23. Company Links • RSA: www.rsasecurity.com • Entrust: www.entrust.com • CyberTrust: www.cybertrust.com • Spyrus: www.spyrus.com • Microsoft: www.microsoft.com • Oracle: www.oracle.com • Computer Associates: www.ca.com • Verisign: www.verisign.com • Identrus/DST: www.digsigtrust.com/home.html • Geotrust: www.geotrust.com/

More Related