There is no legal value for offline CA and offline CAs normally used in a localized environment
Online CAs works as a 3rd party trust provider in a trust relationship environment. In this model of trust relationships, a CA is a trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon the certificate (recipient).
Cost factors of a digital certificate
----------------------------------------
To establish online CA trust, CA needs to follow a set of protocols/procedures and it is the main driver of the certificate cost.
• Maintaining minimum of 4 or more physical security tiers for datacenter (NIFT is following 7 physical Tiers standard recommended by US Department of Defense (DoD) for datacenters.
• Maintaining ISO 27001 certification and annual Audits
• Maintaining WebTrust certification and annual Audits
• Maintaining CP/CPS.
• Maintaining Certificate Revocation List and Warranties according to CP/CPS.
• Maintaining security segregation of duties for different responsibilities in IT operations (minimum 12 member IT operational team is required)
• Maintaining a Validation Department for RA functionality or the verification of provided credentials by customers (minimum 3 member validation team is required).
• Maintaining a separate shareholders team (minimum 5 or more members) and the distribution of digital blocks of single security key to Command and Control authorization for functions like initiating new CAs and Renew/Rekey.
• Maintaining a separate shareholders team (minimum 3 or more members) and the distribution of digital blocks of single security key for the functions like backups and recovery.
• Maintaining DR site (replica of production) with separate staff.
• Online trusted CA creation requires a separate department called Certificate Bureau Office (CBO) and subordinate CA's key management team coordinates with CBO to establish trust between root and intermediate CAs.
Current online digital certificate cost and how we can reduce it further
----------------------------------------------------------
NIFT is already issuing digital certificates to a large number of users for around Rs. 600 per year. Even there are few more cases where we are selling certificates for less than Rs. 1000 per year. So cost should not be an issue now days.
We are reinventing CA every time for each organization(i.e SECP, FBR). Unless Accreditation Counsel for CAs in Pakistan (which is not much active these days) agrees on a single skeleton of Digital Certificates for all purpose usage like NADRA's NIC, we can not reduce the cost.
Imran Ashraf
Manager Security Business
NIFTeTRUST | NIFT
No comments:
Post a Comment