Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Certificate Authorities

From: "Litney, Tom" <TLitney () caiso com>
Date: Fri, 22 Oct 1999 07:54:21 -0700
Hi Joe,
 
   This is a bit off topic, but since Marcus allowed your question......   I
guess I do not understand the question.  Is someone else acting as your
certificate authority?  Are they provisioning you as a registration
authority?  What is the other side of you equation?  Running your own CA?
(There are also major expenses associated with that.) Are we talking
software certificates?  Or hardware based certificates which would also
require readers?  In most cases the certificate authority maintains the
liability for improper certificate issuance and responsibility for failure
to revoke compromised certificates.  If you have a subordinate CA server
onsite, the extent that you must protect that CA should be outlined in the
CPS document.  That document should also define any liability that you are
accepting by creating certificates onsite as well as the liability of the
"outside source".  It will also define the steps required if your CA key has
been compromised.  CA's usually require that very stringent security control
be in place.  The justification of the expense involved with running your
own CA can be balanced by determining how many certs you will need to issue,
what liability you are assuming, what controls and staffing you will need to
provide the function, the cost of the initial cert, as well as reissuance
and revocation, and any hardware costs vs. the cost of outsourcing these
issues.  (Keep in mind that certs are usually more expensive depending on
the amount of assurance you require that the certified individual is really
who they say they are.  And certs have limited life spans and will need to
be reissued on a regular basis.)  Generally speaking, unless you are
provisioning a major PKI implementation, it would probably be cheaper and
much less headaches to pay the money and let someone else do it.  But with
the limited information you provided, its really hard to say.  Maybe an off
list conversation?
 
          Tom

-----Original Message-----
From: Joe Ippolito [mailto:joe () joesnet com]
Sent: Wednesday, October 20, 1999 11:26 AM
To: firewall-wizards () nfr net
Subject: Certificate Authorities


Is the expense of having an outside source provide CA keys for my
organization justified if I properly protect my own CA server on-site?.
 
Thanks for your input.
Previous By Date Next
Previous By Thread Next

Current thread: