[unisog] Questions about Local Cert. Authorities

Matt Crawford crawdad at fnal.gov
Thu Oct 9 13:50:02 GMT 2003


On Tuesday, Oct 7, 2003, at 18:42 America/Chicago, Seth Hollyman wrote:
> For example, for those of you who have a local CA, is it self-signed or
> a subordinate of someone like thawte/verisign/etc?

In our opinion, and the opinion of those with whom we collaborate, 
using the PKI oligarchy adds zero value and zero security.  (Or perhaps 
reduces security.)  I'm not going to go into all the reasoning here and 
now.  We use our own CAs for internal purposes, and band together in 
community-of-interest groups, each with a national "lead" CA, for 
international projects.

> What kind of
> guidelines have been established for verifying client signing requests?

User certificate requests are authenticated by Kerberos and issued for 
the lifetime of the Kerberos ticket.  (See kx509 & kca from 
CITI/UMichigan.)  Server certificates are done with personal contact.

> What software are you using to manage your CA?

Bare naked openssl, I'm afraid.  For the top level CA we Shamir 
secret-shared the private key among security people and reassemble it 
only in RAM never paged to disk.



More information about the unisog mailing list