It is going too far to say that there is no legal value to such a CA.
It depends on the practices and policies of the CA. a digital signature does not have to be one that is validated by a third party. Its good that it is so it will provide greater assurance. But it does not have to in order to comply with legal requirements.
Best regards,
Zahid Jamil
Barrister-at-law
Jamil & Jamil
Barristers-at-law
219-221 Central Hotel Annexe
Merewether Road, Karachi. Pakistan
Cell: +923008238230
Tel: +92 21 35680760 / 35685276 / 35655025
Fax: +92 21 35655026
Notice / Disclaimer
This message contains confidential information and its contents are being communicated only for the intended recipients . If you are not the intended recipient you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this message by mistake and delete it from your system. The contents above may contain/are the intellectual property of Jamil & Jamil, Barristers-at-Law, and constitute privileged information protected by attorney client privilege. The reproduction, publication, use, amendment, modification of any kind whatsoever of any part or parts (including photocopying or storing it in any medium by electronic means whether or not transiently or incidentally or some other use of this communication) without prior written permission and consent of Jamil & Jamil is prohibited.
From: pakgrid@yahoogroups.com [mailto:pakgrid@yahoogroups.com] On Behalf Of Imran
Sent: 30 January 2012 14:34
To: pakgrid@yahoogroups.com
Subject: [pakgrid] Re: PKI in Pakistan
There is no legal value for offline CA and offline CAs normally used in a localized environment
Online CAs works as a 3rd party trust provider in a trust relationship environment. In this model of trust relationships, a CA is a trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon the certificate (recipient).
Cost factors of a digital certificate
----------------------------------------
To establish online CA trust, CA needs to follow a set of protocols/procedures and it is the main driver of the certificate cost.
• Maintaining minimum of 4 or more physical security tiers for datacenter (NIFT is following 7 physical Tiers standard recommended by US Department of Defense (DoD) for datacenters.
• Maintaining ISO 27001 certification and annual Audits
• Maintaining WebTrust certification and annual Audits
• Maintaining CP/CPS.
• Maintaining Certificate Revocation List and Warranties according to CP/CPS.
• Maintaining security segregation of duties for different responsibilities in IT operations (minimum 12 member IT operational team is required)
• Maintaining a Validation Department for RA functionality or the verification of provided credentials by customers (minimum 3 member validation team is required).
• Maintaining a separate shareholders team (minimum 5 or more members) and the distribution of digital blocks of single security key to Command and Control authorization for functions like initiating new CAs and Renew/Rekey.
• Maintaining a separate shareholders team (minimum 3 or more members) and the distribution of digital blocks of single security key for the functions like backups and recovery.
• Maintaining DR site (replica of production) with separate staff.
• Online trusted CA creation requires a separate department called Certificate Bureau Office (CBO) and subordinate CA's key management team coordinates with CBO to establish trust between root and intermediate CAs.
Current online digital certificate cost and how we can reduce it further
----------------------------------------------------------
NIFT is already issuing digital certificates to a large number of users for around Rs. 600 per year. Even there are few more cases where we are selling certificates for less than Rs. 1000 per year. So cost should not be an issue now days.
We are reinventing CA every time for each organization(i.e SECP, FBR). Unless Accreditation Counsel for CAs in Pakistan (which is not much active these days) agrees on a single skeleton of Digital Certificates for all purpose usage like NADRA's NIC, we can not reduce the cost.
Imran Ashraf
Manager Security Business
NIFTeTRUST | NIFT
No comments:
Post a Comment