PKI for medium scale network operations

• Previous message (by thread): PKI for medium scale network operations
• Next message (by thread): PKI for medium scale network operations
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[snip]

> organization.  Also I didn't say it, but I'm not looking to identify
> natural people.

[snip]

> The Cisco IOS CA and Microsoft CA have the advantage of being
> integrated with a lot of each vendor's products.  Once set up,
> both try to simplfy on-going maintenance as long as you use
> their products.  roCA and CATool are stand-alone.
> 
> Several people pointed out certificates don't fix the compromised
> device problem.  Public/private key pairs are only as secure as the
> private key.  The length of the key doesn't matter if you can get
> a copy of the private key.

It all sounds reasonable, except for one thing.
PKI being the mess that it can be... it might be within reason to 
explore the general world of PKI, because building two separate 
infrastructures would potentially be a serious waste of resources.

As to the security of the devices themselves, there is no easy solution 
(and believe me, I tried!).
As long as the authentication mechanism is stored locally at the front 
lines, the risk will always be higher.

You *could* use a third box to authenticate both, but I find that idea 
wasteful. You could use one third box to authenticate all devices, but I 
personally find that a risk by itself.
I didn't figure this out yet.

	Gadi.

• Previous message (by thread): PKI for medium scale network operations
• Next message (by thread): PKI for medium scale network operations
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]