Requirements for in-house PKI

Nov 1, 2001 12:00 PM, Yuriy Dzambasow


         Subscribe in NewsGator Online   Subscribe in Bloglines

A number of factors need to be considered for an organization to set up a PKI in-house as a self-contained, closed system.

For a large portion of the market, PKI implementation goes no further than the software evaluation stage. They may decide that PKI software is too expensive to implement. Additionally, the software is technically complex and requires a specialized knowledge that stands as a barrier to “regular company” adoption.

With the appropriate software selected and purchased, organizations must next purchase and integrate corresponding hardware. Virtually every PKI system requires hardware to secure mission critical services, such as key management functions. Installing and integrating a PKI system is tantamount to installing an enterprise resource planning (ERP) system both in terms of cost and complexity. Just the setup of the technical PKI typically runs into the hundreds of thousands, if not into the millions of dollars. Integration is an equally complex and highly specialized undertaking — often beyond the skills of traditional IT personnel.

The real value of any PKI system is the underlying policy surrounding the technology. Organizations must answer the who, what, how, when, where, and why of their PKI to develop an adequate certificate policy (CP).

Organizations must answer many questions including:

  • Who will be the Certification Authority?

  • Who are the certificate holders?

  • Who is the regulation authority responsible for verification and validation of certificate holders and relying parties?

  • Who is responsible for operations from a policy level?

  • Who are the relying parties both within the organization and outside?

  • What course do relying parties and certificate holders take for transaction dispute resolution?

  • What kind of validation and verification is required and what is the source for enrollment information?

  • What are the identity proofing requirements for certificate holders?

  • What is the timeframe associated with policy life, status, and validation?

  • What actions are taken if a certificate is revoked?

  • How is revocation management performed (for example lists versus real-time status)?

  • What operational events surround PKI-based activities?

  • Will the organization use hardware-based, software-based, or both types of digital certificates and what type of management surrounds each?

  • For what types of PKI activities will the issued certificates be relied upon?

  • Who holds the key pair rights?

  • What information is contained in the certificate?

Once these questions and others have been answered, organizations must draft a Certification Practice Statement (CPS) that details specific procedures surrounding each of these policies. These highly specific rules give the PKI its teeth and also set forth the requirements all parties are to follow. After all the software, hardware, practice, and policy issues have been established, organizations must test and integrate the system, provide adequate maintenance staff, and begin the process of fully identifying and authenticating each certificate holder.

Additionally, organizations must develop, distribute, and enforce a contract infrastructure for all parties outside the organization that will either hold or rely on the digital certificates. These contracts could include relying party agreements, subscriber agreements and privacy policies. Finally, organizations must establish a public directory and resolve archiving issues.

Obviously, for organizations wishing to establish PKI themselves selecting a vendor is only the first step. The real challenge comes with developing, documenting, and implementing the policies and practices that must surround PKI services.

About the author

Yuriy Dzambasow is chief technical officer for Digital Signature Trust Co.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

Today's New Product

Product 1 Image

B.I.G. Parking Control/Guard Booth

Manufactured for Louisiana State University, The Estate parking control/guard booth from B.I.G. Enterprises was built to strict hurricane codes due to Hurricane Katrina. The booth features a copper standing seam roof, gutters and downspouts. It comes factory-prepared for on-site installation of architectural brick and has extensive electrical, high-output HVAC, data and communication lines, shelves and cabinets.

To read more...


Govt Security

Cover

SUBSCRIBE

This month in Access Control

Popular Stories

Quick Links

Webinar

Mass Notification Systems

Join AC&SS and ADT as they discuss the crucial role of mass notification systems before, during, and after emergency situations.
March 26 at 2pm ET

Register Now!

Back to Top