Presentation is loading. Please wait.

Presentation is loading. Please wait.

Certificate Authorities - Commercial Options Robert Brentrup Educause/Dartmouth PKI Summit July 26, 2005.

Published byDylan Thyng Modified over 9 years ago

Similar presentations

Presentation on theme: "Certificate Authorities - Commercial Options Robert Brentrup Educause/Dartmouth PKI Summit July 26, 2005."— Presentation transcript:

1 Certificate Authorities - Commercial Options Robert Brentrup Educause/Dartmouth PKI Summit July 26, 2005

2 Current Commercial CA Products Sun iPlanet / AOL-Netscape –=> RedHat Certificate Server, LDAP RSA Certificate Manager (formerly Keon) Entrust Authority CyberTrust Unicert –(formerly Betrusted) (formerly Baltimore) Microsoft Certificate Services Spyrus PKI System 6.0 Oracle Application Server Certificate Authority

3 Related Services and Products CA Services –Verisign –Identrus/DST –Geotrust –Entrust –RSA –CyberTrust OCSP –Corestreet –Computer Associates (CA)

4 PKI Components CA server LDAP (or DAP) directory server Database for CA records RA function Client/application software support

5 Basic Requirements Supported software (OS) and hardware PKCS standards supported? Interoperability with other PKIs CA hardware key storage support –what FIPS 140-2 Level rating? –PKCS#11 and proprietary

6 CA hardware key storage nCipher –(FIPS Level 3) Safenet –(FIPS Level 2, 3) –(Data Key and Rainbow Tech subsidiaries –(Rainbow Tech bought Chrysalis) AEP Networks –Keyper (FIPS Level 4) Spyrus –LYNK (PCMCIA, USB) –Fortezza (PCMCIA)

7 Key Features 1 Key sizes and types –at least 1024, >4096? RSA, DSA, Elliptic Curve Dual key certificates? Certificate profiles –prebuilt and customizable? –vendor key extensions? Naming support: X.500, DC naming LDAP chaining or referrals, X500, Active Directory CRLs and/or OCSP

8 Key Features 2 RA functions: online or off-line, self service User interface for CA and RA operators –Web Page or vendor software? Key escrow and recovery –How much operator intervention required? Record keeping (who has how many certs) and notifications (reminder of certs that need to be renewed) functionality

9 Key Features 3 Interoperability with applications –Browser SSL, secure mail, signed documents, VPN, 802.1x EAP/TLS –OS smart card signon (MS requires special OIDs) Client interface: Web Browser or vendor software –CSPs for MS IE Client key storage –OS key store, PKCS#12 files, Vendor software, hardware tokens and smartcards

10 Key Features 4 Issue server certificates –request types supported PKCS#10, CRMF. SPKAC(Netscape), PKIX CMP, SCEP CA can be interconnected with other PKIs –can be signed by recognized root certificates (some vendors own well known roots) –can cross certify

11 Prices In general a wide range, but decreasing Models are either per seat or per certificate –per seat is important if your organization has a large turnover of individuals (like a graduating class) though the number of individuals may be relatively constant Personal –$100 to $1 per seat –$70 to $7 per cert Server $50 - $1000 Other costs: annual maintenance or additional certificates

12 Netscape-AOL-Sun-Redhat (formerly iPlanet CMS) uses SunOS or Windows web browser client interface (inherently cross platform RA can be adapted to self service model Chrysalis, nCipher CA key storage standard LDAP, uses LDAP for internal DB Low cost per seat RedHat Certificate Server: Open Source, runs on Linux too

13 RSA Keon Platform: Solaris 8-9 or Windows 2000-3 Integrated LDAP certificate repository Publishes to LDAP v2/v3 and X.500 Directories Origin of PKCS standards Up to 2048-bit keys for authentication X.509 CRLs and CRLs with extensions Unlimited sub-CA certificate chaining RSA, DSA, ECDSA FIPS 140-1 level 1 through 3 key security (via nCipher and/or other PKCS#11 devices)

14 Entrust Authority client software/keystore (windows only) automatic key update, multiple key pairs per user Attribute Authority X.500 or LDAP, Algorithm Support –RSA, DSA, ECDSA signing, DES, 3-DES, CAST, RC- 2 Compatible, RC-4 Compatible, Elliptic Curve Cryptographic (ECC) signing, IDEA

15 Entrust: Security Manager Platforms: –Compaq Tru64 (Oracle database) –Microsoft® Windows NT® 4.0 (Informix database) –Microsoft® Windows® 2000 Server (Informix database) –Sun® Solaris® 7 and 8 (Informix or Oracle database) –HP® - UX® 11.0 (Informix database) –IBM® AIX® 4.3.3 (Informix database)

16 CyberTrust (formerly baltimore) Solaris 8, Windows XP, Windows 2003 Server and Windows 2000 Supports RSA (up to 4096 bits), DSA and Elliptic Curve DSA (ECDSA) key pairs Active Directory and LDAPv3 publishing OCSP, CRLs, Oracle DB

17 Microsoft Certificate Services Component of Windows 2003 server –(NT/2000 Certificate Server 1.0, 2.0) Integrated with Active Directory and Windows CAPI (OS and IE) Part of server site licensing (with AD) Added more features with new versions

18 Spyrus Platform: Windows NT and 2000 –Uses IIS, IE, Exchange and SQL Server as some of its infrastructure components Value-add Windows Server Certificate Services and Active Directory Integrated with Active Directory and Windows CAPI Attribute Authority for privilege management Distributed RA LYNK key hardware End user smart token management Windows smart card login support

19 Dartmouth PKI Implementation: Commercial CA Software (Sun/iPlanet) Sun 250 server Single Online CA Server Hardware Key Storage Dedicated Firewall Publishes CRLs and provides OCSP LDAP Directory Maintained from Institutional Systems SIS, HR, Sponsored Guests Automated Addition and Deletion CA Publishes Certificates and CRLs to LDAP

20 Dartmouth PKI RA User Enrollment Key Generation by Web Browser –Internet Explorer and Netscape/Mozilla –Cross platform Software or Token Key and Certificate Storage LDAP authorization, self-service for SW certs

21 Dartmouth PKI Timeline Planning late 2001 Staffing Jan - April 2002 HW/SW Acquisition began Feb 2002 CA Installation began June 2002 Test CA available Sept 2002 Production CA available Jan 2003 First Applications –Library Jun 2003, Banner Aug 2003

22 Product Links Netscape/AOL/iPlanet Certificate Server: http://www.redhat.com/software/rha/netscape RSA Certificate Manager: http://www.rsasecurity.com/node.asp?id=1224 Entrust Authority: http://www.entrust.com/pki-public-key- infrastructure/index.htm Spyrus PKI System : http://www.spyrus.com/products/pki_system_architecture.html Oracle Application Server Certificate Authority: http://www.oracle.com/technology/products/id_mgmt/oca/index.html CyberTrust Unicert: http://www.cybertrust.com/offerings/products/unicert.html Oracle Application Server Certificate Authority: http://www.oracle.com/technology/products/id_mgmt/oca/index.html

23 Company Links RSA: www.rsasecurity.com Entrust: www.entrust.com CyberTrust: www.cybertrust.com Spyrus: www.spyrus.com Microsoft: www.microsoft.com Oracle: www.oracle.com Computer Associates: www.ca.com Verisign: www.verisign.com Identrus/DST: www.digsigtrust.com/home.html Geotrust: www.geotrust.com/

Download ppt "Certificate Authorities - Commercial Options Robert Brentrup Educause/Dartmouth PKI Summit July 26, 2005."

Similar presentations

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
SSL Implementation Guide Onno W. Purbo

SSL Implementation Guide Onno W. Purbo
 1997 Entrust Technologies Orchestrating Enterprise Security Entrust Public Key Infrastructure Erik Schetina Chief Technology Officer IFsec, LLC

 1997 Entrust Technologies Orchestrating Enterprise Security Entrust Public Key Infrastructure Erik Schetina Chief Technology Officer IFsec, LLC
1 PK-Enabling Toolkits August 27, 2001. 2 CSOS Interfaces STATUS CHECKING Network Interface: HTTP Port 80 PKI Interface: PKCS 10 Request PKCS 7 Response.

1 PK-Enabling Toolkits August 27, CSOS Interfaces STATUS CHECKING Network Interface: HTTP Port 80 PKI Interface: PKCS 10 Request PKCS 7 Response.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Hardware Cryptographic Coprocessor Peter R. Wihl Security in Software.

Hardware Cryptographic Coprocessor Peter R. Wihl Security in Software.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer

Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.

Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
The PKI Lab at Dartmouth. Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon.

The PKI Lab at Dartmouth. Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman Bill Doster

X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman Bill Doster
Optinuity Confidential. All rights reserved. C2O Configuration Requirements.

Optinuity Confidential. All rights reserved. C2O Configuration Requirements.
About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.

About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.

Similar presentations

Ads by Google