Comparing how effective is a PKI vs. Certificate Authority implementation
Marlon Brown
confidentiality, nonrepudiation and integrity of messages exchanged. I
understand PKI requires a digital certificate, issued by a third party or a
Cerficate Authority. Besides the CA, PKI have other components as well.
The Certificate Authority is an 'entity' that issues the digital
certificates.
My questions are:
a) Imagine I setup only a CA (server) in my internal network (Win2000 AD) to
issue digital certificates around. For example, that way people can launch
browsers via HTTPS and have data encryption protection when using our
Intranet resources. Is that an effective solution by itself, or should I
have to setup a complete PKI solution to take advantage of publick keys ?
What do I exactly have to gain by implementing a PKI solution instead of
only implementing a CA server in my internal network ? (the latter seems
pretty straightforward to implement)
b) Does a Certificate Authority setup in my internal network would be a
countermeasure against "spoofing" ? (in this case, imagine somebody manages
to setup a rogue server with an IP that is not the actual production
server).
Miha Pihler
There is no PKI (Public Key Infrastructure) without CA server that would
issue certificates...
To protect your internal resources you would first have to issue certificate
to your server (e.g. SSL certificate). Only then users will be able to
connect to the site using HTTPS (SSL).
Setup of CA service (PKI) only seems straightforward. The problem is if you
don't plan it correctly it is quite hard to change the configuration.
Information about CA (e.g. CRL, CDP, AIA, ...) is written in issued
certificates and can't be changed (if changed, certificate becomes invalid).
To make the change, you first have to revoke all issued certificates, make
the change on CA server and issue new certificates...
Yes, you can use PKI (certificates) to protect your resources against
spoofing (e.g. you can use SSL or IPSec for this).
Here, you can find more information on planning and implementing Microsoft
PKI. Instead on Windows 2000, set it up on Windows 2003.
New features:
http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
Operations guide:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
Managing PKI:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
Best Practices:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
Certificate templates -
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
Key archival -
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/kyacws03.mspx
Certificate Autoenrollment in Windows Server 2003
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
Advanced certificate enrollment:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
web enrollment:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
EFS:
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
CRLS: http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx
I hope this helps,
Mike
"Marlon Brown" <marlon...@hotmail.com> wrote in message
news:%23ZBV061...@TK2MSFTNGP09.phx.gbl...