WebApp Sec mailing list archives
Re: Open Source Certificate authority
From: "George W. Capehart" <gwc () capehassoc com>
Date: Tue, 23 Sep 2003 16:59:33 -0400
On Tuesday 23 September 2003 01:28 pm, Alex Russell wrote: <snip>
I STRONGLY suggest you find a good primer on PKI as your question implies a basic missunderstanding of what gurantees PKI will and will not provide you.
I heartily agree. I would even take it a step further and suggest that you work with a group that is maintaining a PKI for a while. Setting up a PKI is a complex task and running one securely is beyond the scope of most organizations that do not have hardened facilities. Here are some things to do that will give you an idea of what is involved in running your own PKI. (I don't mean setting up SSH keypairs or (Open)[G,P]GP keypairs. I'm talking about setting up a PKI that is to be used in transactions with which there are associated significant liabilities; i.e. ones that, if compromised will result in the issuer of the certificates being taken to court). Read http://www.counterpane.com/pki-risks.pdf At http://csrc.nist.gov/pki/ - Go to the paragraph on the page that says: "NIST is currently concentrating on PKI architectures, security requirements for PKI components, and PKI-enabled applications. The PKI architecture work is divided between development of complex PKIs based on the bridge CA concept and theoretical modeling of PKI performance. The goal of NIST's security requirements work is a Common Criteria Protection Profile." Follow the links in that paragraph and read and understand the documents at the ends. At http://csrc.nist.gov/pki/mispc/welcome.html - read and understand the MISPC. At https://www.verisign.com/repository/ and read and *understand* the documents in the Digital ID Practices and understand *why* they exist in the first place. At http://www.ietf.org/html.charters/pkix-charter.html - Read and understand the RFCs referenced on the page. Then, if you think you have a general idea of the problem space, go to http://www.imc.org/ietf-pkix and spend a few weeks reading the archives of the mailing list. Reread and see if you understand the implications of http://www.counterpane.com/pki-risks.pdf This is the lite version of the list. I didn't get into the legal aspects and the digital signature laws and all of the law literature. If you're interested, Google is your friend. Cheers, George Capehart -- George W. Capehart "With sufficient thrust, pigs fly just fine . . ." -- RFC 1925
Current thread:
- Open Source Certificate authority Jared Ingersoll (Sep 23)
- Re: Open Source Certificate authority Don Fike (Sep 23)
- Re: Open Source Certificate authority Keith W. McCammon (Sep 23)
- <Possible follow-ups>
- RE: Open Source Certificate authority Tenorio, Leandro (Sep 23)
- RE: Open Source Certificate authority Jared Ingersoll (Sep 23)
- Re: Open Source Certificate authority Alex Russell (Sep 23)
- Re: Open Source Certificate authority George W. Capehart (Sep 24)
- Re: Open Source Certificate authority Chackan Lai (Sep 23)
- Re: Open Source Certificate authority Keith W. McCammon (Sep 24)
- RE: Open Source Certificate authority Dave Ockwell-Jenner (Sep 24)
- Re: Open Source Certificate authority Dorian Moore (Sep 24)
- RE: Open Source Certificate authority TUER, DON (Sep 24)
- Re: Open Source Certificate authority Alex Russell (Sep 23)
- RE: Open Source Certificate authority Lapinski, Michael (Research) (Sep 23)
- RE: Open Source Certificate authority Tenorio, Leandro (Sep 23)
- RE: Open Source Certificate authority Chip Kelly (Sep 24)
- RE: Open Source Certificate authority Lapinski, Michael (Research) (Sep 24)
- RE: Open Source Certificate authority Jared Ingersoll (Sep 24)
(Thread continues...)