|
|
|
|
|
|
| ISP Resources |
| ISP-Lists ISP Glossary ISP News The List ISPCON Events Free Newsletters |
|
|
|
||
| internet.commerce | ||
|
Partner With Us |
Virtual Private Networks
We Need a Public Key Infrastructure —continued
PKI Components
VPNs aren't the only secure service to benefit from PKI. There are many
secure applications and services that use digital certificates and public
key cryptography, including email secured with S/MIME and web transactions
secured with SSL. While specific requirements may differ from one application
to another, all rely upon the same basic PKI components:
 |
The foundation of the PKI is the CA. The CA issues and signs certificates. It may be owned by a private enterprise or operated by a trusted third party. CAs may delegate trust through cross-certification or within a hierarchy. A CA that is directly trusted by your organization is known as the root CA. A CA that is indirectly trusted through relationship to the root CA is known as a subordinate CA. The root CA's own certificate may be self-signed. All subordinate CA certificates are signed by the root CA, creating a chain of trust.
When each certificate is created, a new key pair must be generated for the named "end entity" — the VPN device, web server, or mail user who will hold the private key and use it to create digital signatures. The public key, the name of the end entity, and the name of the issuing CA are all included in the certificate, which is then digitally signed by the CA for authenticity. In order to support non-repudiation, only the "end entity" must have access to the private key. If this is so, the end entity cannot later deny having signed a message because no one else could have done so. The private key must obviously be kept in a safe place. If it is ever stolen, the certificate must be revoked.
To facilitate distribution, certificates can be published in a repository. To improve accessibility, search efficiency, and reduce single point of failure, certificates can be published in multiple shadow directories, and directories can be chained to allow traversal from one name space to another. Repositories contain certificates, certificate revocation lists, authority revocation lists, and other related objects — for example, policy objects. Certificate repositories are typically accessed through LDAP. Because the CA itself must remain secure and the repository must, by design, be public, these two components are not only logically but also physically separate.
Administration functions can be distributed to Registration Authorities (RAs). The RA may be responsible for assigning names, generating or archiving key pairs, authenticating the end entity during enrollment, delivering authorization codes or keys to the end entity, and initiating revocation. The RA is effectively an administrative interface to the CA, but can be physically distributed for improved scalability and security, as well as for delegation of administrative responsibility to reflect organizational units.
There are additional components and services that may be associated with a PKI, and not every PKI includes every component. But, at this point, you should have a rough idea of what you might look for in a PKI you'd either build yourself or outsource from a third party.
Outsource Your PKI: CA Services
Do you need to roll your own PKI to put up an e-commerce web site? Of
course not. There are many PKI services that will sell you a digital certificate.
Several providers are enumerated below; you can also look in your web
browser's certificate options to see a list of certificate "publishers"
that you've already trusted by default.
| ARCANVS | http://www.arcanvs.com/ |
| Baltimore Technologies (GTE) CyberTrust | http://www.cybertrust.com/ |
| Digital Signature Trust Co. | http://www.digsigtrust.com/ |
| ID Certify | http://www.idcertify.com/ |
| Thawte | http://www.thawte.com/ |
| USERTrust, Inc. | http://www.usertrust.com/ |
| VeriSign OnSite | http://www.verisign.com/ |
If you're looking to construct a VPN with digital certificate authentication, you'll need certificates for every IPsec tunnel endpoint — security gateway or client — and this can become pricey. There are also administrative, performance, and security policy issues to be considered. We'll cover these in greater detail in a future column. And perhaps the biggest stumbling block at the moment: you'll need to select a PKI that's supported by your VPN devices. While standards are emerging for interaction between components, such as PKIX-CMP and OCSP, combining VPN and PKI products is still a hit-or-miss proposition.
Build Your Own PKI: Commercial Products
If you choose to roll your own PKI — to support a VPN or any other
secure service — there are plenty of PKI products to choose from.
A few commercial products are listed here.
| Baltimore Technologies UniCERT | http://www.baltimore.com/ |
| CertCo CertAuthority | http://www.certco.com/ |
| Entrust/PKI | http://www.entrust.com/ |
| IBM (Tivoli) SecureWay PKI | http://www-4.ibm.com/software/security/trust/ |
| iPlanet Certificate Management System | http://www.iplanet.com/ |
| Microsoft Windows 2000 Certificate Services | http://www.microsoft.com/ |
| RSA Data Security Keon | http://www.rsasecurity.com/ |
| Sun SunScreen CA | http://www.sun.com/security/product/ca.html |
| Xcert Sentry Suite | http://www.xcert.com/ |
Functionality and protocol support vary from product to product. Perhaps the most important thing to keep in mind is that purchasing the software is a small part of the cost of building a PKI. Be prepared to devote expert staff to defining your security policy and architecting a PKI that meets your business requirements, both today and tomorrow. Most of these companies have professional services organizations that can assist you in understanding what's involved — use them.
Bottom Line
Public Key Infrastructure will play an important role in creating large
scale VPNs. Whether you are an enterprise seeking a VPN solution or a
service provider getting into the VPN business, now is the time to start
learning about PKI. Initial products and services are available —
get familiar with them. You may find you're not ready to roll out PKI
yet, but most of you will need to do so eventually.
return to page 1: Why We Need a Public Key Infrastructure
Related Articles
Guarding
Your Turf
|
|
| Best of ISP-Planet | ||
|---|---|---|
|
ISP-Planet
Guide
ISP-Planet's Principal Studies Directories:
Q2 2008 Top U.S. ISPs by Subscriber (Updated 08/29/2008)
ISP-Planet's Blogroll | ||
ISP-Planet's
RSS feed
Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia
Legal Notices, Licensing, Reprints, Permissions, Privacy Policy.
Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers