Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
3
Entrust DatacardDavid Terry – EMEA Business Development Director
4
PKI Management and
Managed PKI
5
Copyright Entrust Datacard 5
Entrust Managed
Services
• Building, Supporting, Managing
PKI’s since c.2000
• Technology Agnostic
• Purpose Built Data Centre
• ETSI, WebTrust, ISO27001,
tScheme, ISO9001, etc.
• Governments, Defense, Finance,
Telecoms, Commercial.
6
Copyright Entrust Datacard 6
I’m sure we all know this?
“what is a PKI “
• Electronic Identity
• Used for:
• Authentication
• Signing
• Non-repudiation / integrity
• Encryption
• Needed by Relying Parties
7
Copyright Entrust Datacard 7
“A public key infrastructure
(PKI) is a set of roles, policies,
and procedures needed to
create, manage, distribute, use,
store & revoke digital certificates
and manage public-key
encryption”
• Policies
• People
• Procedures
• Audit
• A bit of Technology
Am I just creating a Cert
Pump?
8
Copyright Entrust Datacard 8
We need a requirement,
then….
• Need technology
• Need a high level design
• Need a detailed design
• Need Policies
• Need a Policy Authority
• Need Procedures
• Need a KSC
9
Copyright Entrust Datacard 9
PKI Deployment Methodology
1. Project Initiation
2. Requirements Analysis and Design
3. Development / Testing / Policy
4. Installation, Integration and Testing
5. Deployment
6. Operations / Maintenance
P
h
a
s
e
s
10
Copyright Entrust Datacard 10
Typical Deployment – Multi-technology
Root CA
Issuing Authority
Issuing Authority
Issuing Authority
Microsoft AD CS Entrust SM
HSM
HSM HSM
RA RA RA RA
SSL Inspection CA
Policy
11
Copyright Entrust Datacard 11
Policies
• Policy Management and Control
• Assurance and Compliance
• Policies
• Certificate Policy
• Certification Practice Statement
• Relying Party Agreements
• Subscriber Agreements
• Policy Disclosure statements
• Who needs to be involved
12
Copyright Entrust Datacard 12
Best Practice Considerations
Path Length Constraints
Policy
Policy Authority
HSMs
Root Offline
Certificate Lifetime
Key Size
Root and IA Lifetimes
OIDs and CPSKey Usage
CLR HA
Separation
KSC
Training
Multi Person Control
Audit
Management
Security Event monitoring
13
Copyright Entrust Datacard 13
Assurance model need to apply
to all deployment scenarios.
PKI is not a technology
On-Premise
EDC Cloud
14