Certificate Authorities - Commercial Options Robert Brentrup Educause/Dartmouth PKI Summit July 26, 2005

Current Commercial CA Products Sun iPlanet / AOL-Netscape –=> RedHat Certificate Server, LDAP RSA Certificate Manager (formerly Keon) Entrust Authority CyberTrust Unicert –(formerly Betrusted) (formerly Baltimore) Microsoft Certificate Services Spyrus PKI System 6.0 Oracle Application Server Certificate Authority

Related Services and Products CA Services –Verisign –Identrus/DST –Geotrust –Entrust –RSA –CyberTrust OCSP –Corestreet –Computer Associates (CA)

PKI Components CA server LDAP (or DAP) directory server Database for CA records RA function Client/application software support

Basic Requirements Supported software (OS) and hardware PKCS standards supported? Interoperability with other PKIs CA hardware key storage support –what FIPS Level rating? –PKCS#11 and proprietary

CA hardware key storage nCipher –(FIPS Level 3) Safenet –(FIPS Level 2, 3) –(Data Key and Rainbow Tech subsidiaries –(Rainbow Tech bought Chrysalis) AEP Networks –Keyper (FIPS Level 4) Spyrus –LYNK (PCMCIA, USB) –Fortezza (PCMCIA)

Key Features 1 Key sizes and types –at least 1024, >4096? RSA, DSA, Elliptic Curve Dual key certificates? Certificate profiles –prebuilt and customizable? –vendor key extensions? Naming support: X.500, DC naming LDAP chaining or referrals, X500, Active Directory CRLs and/or OCSP

Key Features 2 RA functions: online or off-line, self service User interface for CA and RA operators –Web Page or vendor software? Key escrow and recovery –How much operator intervention required? Record keeping (who has how many certs) and notifications (reminder of certs that need to be renewed) functionality

Key Features 3 Interoperability with applications –Browser SSL, secure mail, signed documents, VPN, 802.1x EAP/TLS –OS smart card signon (MS requires special OIDs) Client interface: Web Browser or vendor software –CSPs for MS IE Client key storage –OS key store, PKCS#12 files, Vendor software, hardware tokens and smartcards

Key Features 4 Issue server certificates –request types supported PKCS#10, CRMF. SPKAC(Netscape), PKIX CMP, SCEP CA can be interconnected with other PKIs –can be signed by recognized root certificates (some vendors own well known roots) –can cross certify

Prices In general a wide range, but decreasing Models are either per seat or per certificate –per seat is important if your organization has a large turnover of individuals (like a graduating class) though the number of individuals may be relatively constant Personal –$100 to $1 per seat –$70 to $7 per cert Server $50 - $1000 Other costs: annual maintenance or additional certificates

Netscape-AOL-Sun-Redhat (formerly iPlanet CMS) uses SunOS or Windows web browser client interface (inherently cross platform RA can be adapted to self service model Chrysalis, nCipher CA key storage standard LDAP, uses LDAP for internal DB Low cost per seat RedHat Certificate Server: Open Source, runs on Linux too

RSA Keon Platform: Solaris 8-9 or Windows Integrated LDAP certificate repository Publishes to LDAP v2/v3 and X.500 Directories Origin of PKCS standards Up to 2048-bit keys for authentication X.509 CRLs and CRLs with extensions Unlimited sub-CA certificate chaining RSA, DSA, ECDSA FIPS level 1 through 3 key security (via nCipher and/or other PKCS#11 devices)

Entrust Authority client software/keystore (windows only) automatic key update, multiple key pairs per user Attribute Authority X.500 or LDAP, Algorithm Support –RSA, DSA, ECDSA signing, DES, 3-DES, CAST, RC- 2 Compatible, RC-4 Compatible, Elliptic Curve Cryptographic (ECC) signing, IDEA

Entrust: Security Manager Platforms: –Compaq Tru64 (Oracle database) –Microsoft® Windows NT® 4.0 (Informix database) –Microsoft® Windows® 2000 Server (Informix database) –Sun® Solaris® 7 and 8 (Informix or Oracle database) –HP® - UX® 11.0 (Informix database) –IBM® AIX® (Informix database)

CyberTrust (formerly baltimore) Solaris 8, Windows XP, Windows 2003 Server and Windows 2000 Supports RSA (up to 4096 bits), DSA and Elliptic Curve DSA (ECDSA) key pairs Active Directory and LDAPv3 publishing OCSP, CRLs, Oracle DB

Microsoft Certificate Services Component of Windows 2003 server –(NT/2000 Certificate Server 1.0, 2.0) Integrated with Active Directory and Windows CAPI (OS and IE) Part of server site licensing (with AD) Added more features with new versions

Spyrus Platform: Windows NT and 2000 –Uses IIS, IE, Exchange and SQL Server as some of its infrastructure components Value-add Windows Server Certificate Services and Active Directory Integrated with Active Directory and Windows CAPI Attribute Authority for privilege management Distributed RA LYNK key hardware End user smart token management Windows smart card login support

Dartmouth PKI Implementation: Commercial CA Software (Sun/iPlanet) Sun 250 server Single Online CA Server Hardware Key Storage Dedicated Firewall Publishes CRLs and provides OCSP LDAP Directory Maintained from Institutional Systems SIS, HR, Sponsored Guests Automated Addition and Deletion CA Publishes Certificates and CRLs to LDAP

Dartmouth PKI RA User Enrollment Key Generation by Web Browser –Internet Explorer and Netscape/Mozilla –Cross platform Software or Token Key and Certificate Storage LDAP authorization, self-service for SW certs

Dartmouth PKI Timeline Planning late 2001 Staffing Jan - April 2002 HW/SW Acquisition began Feb 2002 CA Installation began June 2002 Test CA available Sept 2002 Production CA available Jan 2003 First Applications –Library Jun 2003, Banner Aug 2003

Product Links Netscape/AOL/iPlanet Certificate Server: RSA Certificate Manager: Entrust Authority: infrastructure/index.htm Spyrus PKI System : Oracle Application Server Certificate Authority: CyberTrust Unicert: Oracle Application Server Certificate Authority:

Company Links RSA: Entrust: CyberTrust: Spyrus: Microsoft: Oracle: Computer Associates: Verisign: Identrus/DST: Geotrust: