PKI for medium scale network operations
Gadi Evron
ge at linuxbox.org
Fri Mar 25 23:00:49 UTC 2005
Sean Donelan wrote:
> Routers, IP phones, VPN, etc are starting to get reasonable support
> for certificates. So network operators may need some PKI as part
> of their infrastructure (rather than the traditional application-layer
> PKI such as Web/SSL).
>
> But there seems to be only two choices for Public Key Infrastructure. The
> do it yourself crowd which requires a lot of expertise just to keep
> running, and the we'll do everything for you crowd which is massive
> in scale and price.
>
> Have any network operators found something in between? Simple enough
> that after it is set up, an administrative person can handle the day
> to day operation. But not so expensive, you can justify the
> infrastructure for the relatively certificates being managed?
> Most network infrastructure is internal, so there is no need for
> a world-wide PKI for internal stuff.
>
> Microsoft is actually doing an impressive job building it into
> their systems. Is that the direction network operators are going?
PKI is messy, yet necessary, business. I honestly believe that you need
to run your own, but what does that mean? And first, do you need it?
Do you need your own CA? Do you issue your own smart cards? How do you
handle new employees, old employees or expirations? How do you handle
integrating the technology and how the heck can you get it all to work?
Now, I'm as far from being a PKI expert as one can be.. erm..
But still, I personally strongly believe in two half-conflicting issues:
1. DO-it-yourself for every organization on the planet is a waste of
resources.
2. Allowing others to manage what your organization does is wrong.
So what is the path in the middle?
It comes down to size. How much are you willing to invest when
considering your needs? I'd first look into if you are actually
interested into going for this mess. And even if you want to run your
own shop; don't re-invent the wheel, and don't pay someone to do
everything for you.
This is rather off-topic, but my inbox is open to anyone.
Gadi.
More information about the NANOG
mailing list