[unisog] S/MIME Key Management

Nick Lewis lewisnic at acm.org
Thu Nov 10 23:08:57 GMT 2005


I was involved in setting up the CA to support the InCommon Federation 
(operated by Internet2). You may want to look at the CA docs that we put 
online at:


There is an offline CA and a webpage for users to submit CSRs.

Please note, the level of assurance is fairly low (probably rudimentary), 
but should easily scale to higher levels of assurance depending on your 

You may also want to look at the HEPKI-TAG web pages as they have several 
documents about operating a CA that might be helpful.


Hope that helps,


----- Original Message ----- 
From: "Christopher Crowley" <ccrowley at tulane.edu>
To: "UNIversity Security Operations Group" <unisog at lists.sans.org>; "Russell 
Fulton" <r.fulton at auckland.ac.nz>
Sent: Monday, November 07, 2005 11:47 AM
Subject: Re: [unisog] S/MIME Key Management

> Out of curiosity.
> Has anyone set up a CA that they feel follows best security practices and
> provides enterprise class service?
> For example, Is you CA offline. Is there a webpage for users to request 
> new
> certs, you escrow signing keys, a method in place to verify and sign 
> requests,
> and there are agents to vet the requestor and distribute certs?
> Christopher Crowley
> Technology Services
> Tulane University
> ccrowley at tulane.edu
> Tel: 713.212.1378 (Houston Temporary)
> Quoting Russell Fulton <r.fulton at auckland.ac.nz>:
>> Mike Wiseman wrote:
>>   I'd be interested to
>> > hear if others are doing a combination of reselling commercial CA
>> > products and running a self-signed CA. The reselling service would 
>> > serve
>> > those needing SSL server certs and S/MIME certs for external facing
>> > email. The internal CA would be used for user authentication and
>> > encryption apps.
>> This is exactly what we have been doing for nearly 5 years.  Up until
>> now we have just used self-signed cert internally but are now looking at
>> setting up  a small CA operation to sign certs for internal use and
>> encourage everyone on campus to load our master Cert into their browsers.
>> Russell
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.sans.org
>> http://www.dshield.org/mailman/listinfo/unisog
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list