nanog mailing list archives
Re: PKI for medium scale network operations
From: Sean Donelan <sean () donelan com>
Date: Sat, 26 Mar 2005 02:19:49 -0500 (EST)
Most people figured out I was not looking for a "public" CA solution. There is very little reason why internal certificates need to be recognized world-wide, or by anything outside of the internal organization. Also I didn't say it, but I'm not looking to identify natural people. Instead of using community names for SNMP or shared secrets for VPN, an alternative for a network operator is some form of public/private keys. 1. Cisco IOS CA server (http://www.cisco.com/) 2. Microsoft CA software (http://www.microsoft.com/) 3. roCA, based on TinyCA (http://www.intrusion-lab.net/roca/) 4. CATool (http://www.open.com.au/) The Cisco IOS CA and Microsoft CA have the advantage of being integrated with a lot of each vendor's products. Once set up, both try to simplfy on-going maintenance as long as you use their products. roCA and CATool are stand-alone. Several people pointed out certificates don't fix the compromised device problem. Public/private key pairs are only as secure as the private key. The length of the key doesn't matter if you can get a copy of the private key.
Current thread:
- PKI for medium scale network operations Sean Donelan (Mar 25)
- Re: PKI for medium scale network operations Gadi Evron (Mar 25)
- Re: PKI for medium scale network operations Sean Donelan (Mar 26)
- Re: PKI for medium scale network operations Gadi Evron (Mar 26)
- Re: PKI for medium scale network operations Christopher L. Morrow (Mar 26)
- Re: PKI for medium scale network operations Sean Donelan (Mar 26)
- Re: PKI for medium scale network operations Gadi Evron (Mar 25)