RE: Certificate Authorities

• Previous message: M. Dodge Mumford: "Re: Off-topic: Password and PIN generation"
• Maybe in reply to: Joe Ippolito: "Certificate Authorities"
• Next in thread: Bennett Todd: "Re: Certificate Authorities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Joe,
 
   This is a bit off topic, but since Marcus allowed your question......   I
guess I do not understand the question.  Is someone else acting as your
certificate authority?  Are they provisioning you as a registration
authority?  What is the other side of you equation?  Running your own CA?
(There are also major expenses associated with that.) Are we talking
software certificates?  Or hardware based certificates which would also
require readers?  In most cases the certificate authority maintains the
liability for improper certificate issuance and responsibility for failure
to revoke compromised certificates.  If you have a subordinate CA server
onsite, the extent that you must protect that CA should be outlined in the
CPS document.  That document should also define any liability that you are
accepting by creating certificates onsite as well as the liability of the
"outside source".  It will also define the steps required if your CA key has
been compromised.  CA's usually require that very stringent security control
be in place.  The justification of the expense involved with running your
own CA can be balanced by determining how many certs you will need to issue,
what liability you are assuming, what controls and staffing you will need to
provide the function, the cost of the initial cert, as well as reissuance
and revocation, and any hardware costs vs. the cost of outsourcing these
issues.  (Keep in mind that certs are usually more expensive depending on
the amount of assurance you require that the certified individual is really
who they say they are.  And certs have limited life spans and will need to
be reissued on a regular basis.)  Generally speaking, unless you are
provisioning a major PKI implementation, it would probably be cheaper and
much less headaches to pay the money and let someone else do it.  But with
the limited information you provided, its really hard to say.  Maybe an off
list conversation?
 
          Tom

-----Original Message-----
From: Joe Ippolito [mailto:joeat_private]
Sent: Wednesday, October 20, 1999 11:26 AM
To: firewall-wizardsat_private
Subject: Certificate Authorities


Is the expense of having an outside source provide CA keys for my
organization justified if I properly protect my own CA server on-site?.
 
Thanks for your input.

• Next message: Bennett Todd: "Re: Certificate Authorities"
• Previous message: M. Dodge Mumford: "Re: Off-topic: Password and PIN generation"
• Maybe in reply to: Joe Ippolito: "Certificate Authorities"
• Next in thread: Bennett Todd: "Re: Certificate Authorities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:44:44 PDT