Dear Sajjad,
I agree with you that we should have a national PKI structure and NIFT is very much open to help institutions like PTA and NADRA to establish such infrastructure. NIFT already provided its CA establishment knowledge base to PTA. Comparing NIFT's PKI expense with its revenue you will be amazed that we are absorbing 50% loss each year for running this facility, only because we know that PKI is strategic technology for Pakistan. I don't know if anyone has a nerve to do it right way and in a low cost.
With regards to offline CA i already told in my previous post that it has no legal value. Maybe you are confusing the term Offline with the Private CA. Private or Public both types of CAs loaded as online CA for issuing authority verification by relying party. Remember its ROOT and Intermediate CAs which remain offline even in a online trusted chain environment and its the issuing CAs which remains online for both public and private certificates.
Identities for example personal identity like NIC, organizational identity like NTN or SECP cannot fall under a single CA and subordinate CAs are required for each type of identity.
You cannot verify issuing authority in an offline environment. Private or Trusted Public CA must remain online for certificate verification
Regards
Imran Ashraf
--- In pakgrid@yahoogroups.com, Sajjad asghar <sa4_79@...> wrote:
>
> Dear Kamran,
> First of all PK-GRID-CA
> is an offline CA, which mean it is totally secure as none of its
> critical components are attached with any network, this is one way of establishing a
> CA the other one is having an online CA for which you required an HSM (FIPs
> level three atleast) which is really expensive. OCSP is something that is
> required to ensure the availability of up to date information about
> revocation and it could be setup easily. NCP is using CRL for revoked
> certificate and it is supported by the LCG project, as NCP is part of this
> project. I am surprise to see your comment "no root key protection under-writings" in the case of
> off-line CA root key is protected by not connecting the signing machine to any
> network and its the physical security that becomes important
> and it is covered in the CP/CPS. Furthermore PK-GRID-CA is member of IGTF and there are hundreds of
> CAs that are part IGTF they are running with same kind of CP/CPS as these
> CP/CPS are written according to RFC 3820 none of the members of IGTF has raise any concern about
> the security of system. There is a due process in IGTF to
> get accreditation as CA;a committee accredited
> PK-GRID-CA after reviewing its CP/CPS. Now NCP is running this CA for almost 8 years and not a single
> problem related to security has been reported.Â
> Â
> The current accreditation
> of PK-GRID-CA is from IGTF that’s why they are
> issuing certificate to research community for other purposes a new CP/CPS
> document is required. If there is a community that required digital certificate
> other than research purposes they can come under the new CP/CPS. In this case
> certificates are going to be much cheaper than NIFT and more people will be
> able to afford the digital certificate.
> Â
> In my opinion we need a
> national CA for this purpose and not some forging company having a potential
> access to our critical financial and government data (VeriSign in this case is
> that company).
> Br
> Sajjad
>
>
> ________________________________
> From: Kamran Meer <kamran.meer@...>
> To: pakgrid@yahoogroups.com
> Sent: Friday, January 27, 2012 3:14:26 PM
> Subject: Re: [pakgrid] Re: PKI in Pakistan
>
>
> Â
> Thanks to Sajjad for bringing this to our knowledge, however if you read the CPS of this PKI established at QAU-NCP Islamabad, many of the controls have "No Stipulation", they have no key escrow arrangement, no up-time guarantees, no BCP guarantees, no OCSP and no root key protection under-writings.
>
> The CPS also adds the disclaimer: "The PK-Grid-CA will issue certificates to entities, which are based and/or having offices in Pakistan, and are intended for cross-organizational sharing of resources. The focus of these organizations should also be in research and/or education."
>
> In conclusion, this PKI is a great initiative taken long before NIFT but it does not compare to the features of NIFT which carries far less risk and root key protection is under-written by VeriSign PKI (now owned by Symantec). Users (even if they belong to research or education organizations) should use the services of the QAU-NCP PKI CA with full knowledge of the prevalent risks, as I have identified above.
>
> Regards,
>
> Kamran Meer
>
> On Thu, Jan 26, 2012 at 11:10 PM, Sajjad asghar <sa4_79@...> wrote:
>
>
> >Â
> >Natioanl center for physics has a PKI setup with the name  of Pk-GRID CA ,it was established in 2004 long before NIFT.  Here is website of the  PK-Grid CA
> >http://www.ncp.edu.pk/pk-grid-ca/.
> >
> >Best Regards
> >Sajjad Asghar
> >
> >
> >
> >________________________________
> > From: Javed Naushahi <jnaushahi@...>
> >To: "pakgrid@yahoogroups.com" <pakgrid@yahoogroups.com>; "ammar@..." <ammar@...>
> >Sent: Wednesday, January 25, 2012 2:51:24 AM
> >Subject: [pakgrid] Re: PKI in Pakistan
> >
> >
> >Â
> >Dear Jafferi saheb,
> >Â
> >Do we have moe PKIs / CAs operating in the country in Education or Govt. sector?, other than e-NIFT.
> >Â
> >Is there any plan to launch low cost PKI, with decades of experience under your belt in e-security.
> >Â
> >Regards,
> >Â
> >Javed Naushahi
> >Â
> >
> >
> >From: "ammar@..." <ammar@...>
> >To: pakgrid@yahoogroups.com
> >Sent: Thursday, January 19, 2012 8:46 AM
> >Subject: Re: [pakgrid] URDU Content on Web
> >
> >
> >Â
> >Dear Rauf Sb,
> >
> >This is totally not-for-profit activity and not funded by any
> >organization. ( For E-Village Project ). All information is public and can
> >be shared with anyone interseted to get it.
> >
> >Information provided by few friends has been of great help but as you all
> >know this is a big job and I would request all those who can help may
> >provide the required information.
> >
> >Regards,
> >
> >Ammar Jaffri
> >
> >
> >
> >
> >
> >
>
No comments:
Post a Comment