[unisog] Questions about Local Cert. Authorities
crawdad at fnal.gov
Thu Oct 9 13:50:02 GMT 2003
On Tuesday, Oct 7, 2003, at 18:42 America/Chicago, Seth Hollyman wrote:
> For example, for those of you who have a local CA, is it self-signed or
> a subordinate of someone like thawte/verisign/etc?
In our opinion, and the opinion of those with whom we collaborate,
using the PKI oligarchy adds zero value and zero security. (Or perhaps
reduces security.) I'm not going to go into all the reasoning here and
now. We use our own CAs for internal purposes, and band together in
community-of-interest groups, each with a national "lead" CA, for
> What kind of
> guidelines have been established for verifying client signing requests?
User certificate requests are authenticated by Kerberos and issued for
the lifetime of the Kerberos ticket. (See kx509 & kca from
CITI/UMichigan.) Server certificates are done with personal contact.
> What software are you using to manage your CA?
Bare naked openssl, I'm afraid. For the top level CA we Shamir
secret-shared the private key among security people and reassemble it
only in RAM never paged to disk.
More information about the unisog