Dear Sajjad,
I was just reading through this whole conversation and would like to share my input too on the subject matter. BTW, I am working in NIFT as Manager PS.
I believe the primary issue of this whole discussion is revolving around the pricing of digital certificates. Am I right? If yes, let me share with all of you that this is no-longer an issue with NIFT service. We have been issuing digital certificates to a large number of users for around Rs. 600 per year even that on a limited volume. Than there are few more cases where we are selling certificates for less than Rs. 1000 per year. So this discussion that NIFT offers costly PKI services should be over now and if someone really want more information, s/he can write to me.
Now lets come to the second part of the discussion where you have tried to answer Kamran's concerns. Let me share some more info for readers interest. The difference of Off-line CA and Online-CA is not just the security aspect of CA keys rather it has to do alot with a number of other aspects as well. As you mentioned about CRL, which as per recommendations, should expire after a fixed interval of time [24 hours recommended or deltaCRL's with smaller intervals for critical cases] and a fresh CRL has to be signed and published by the signer CA, so an offline CA will need to sign a new CRL's almost everyday and if CRL availability becomes a manual process [as it normally does because CA server is offline], it becomes a tedious task for the operations team. Having said that, OCSP requires an online CA due to the requirement of OCSP responder signatures on every request.
Beside CRL and OCSP, physical security of the CA keys becomes of core importance when certificates are used by financial institutions for online strong authentication and transactions security. I don't know, what level of physical security is in place for PK-GRID-CA, but NIFT has established a 7- Physical Tiered Data Center with 7-tiered Disaster Recovery site for its CA hosting services. NIFT data center is ISO-270001 certified and complies to all 128 controls of physcial and logical security required for a CA. NIFT CA services are also going to be certified by the web of trust for CA audit by the end of 2012, InshAllah.
With all above said, now I would like to point out certain other aspects of the online vs. offline CA. And as the saying goes "one size does not fit all", so you have to have a CA infrastructure which is not only secure but also robust and scalable. Sub CA's plays vital role in addressing different needs of different organizations. And when you start creating SUB CA's, it wont be possible after a certain level, to keep them offline, and an end user CA has to come and stay online to assure the validity of end user certificate for the critical applications. Similarly, an organization may require different types of certificates for different purposes e.g. code signing certificates, TLS, and individual certificates. It is never advisable nor a good idea to create just one CA for all different types of certificates rather it has to be done in a hierarchical manner with defined SUB CA's for issuing different types of certificates. Similarly, there are many other things like databases, directories, and above all TRUST, which will take alot of time to explain and discuss here.
To answer your last question of National CA, NIFT had been working with a number of Govt. entities to establish such a CA service, but as I said before, its all those Govt. entities which are firstly not serious about it, secondly, their application infrastructure is not ready to assimilate digital signatures, and thirdly, they have altogether different requirements for their applications. So if they could agree on certain minimum requirements, NIFT is more than willing to establish such a service for the country. and last but not least, no information whatsoever on the certificate issued from VeriSign (Symantec) under NIFT CA, goes out of the NIFT data center.
BR,
Sajid
From: Sajjad asghar <sa4_79@yahoo.com>
To: "pakgrid@yahoogroups.com" <pakgrid@yahoogroups.com>
Sent: Monday, January 30, 2012 3:48 AM
Subject: Re: [pakgrid] Re: PKI in Pakistan
Dear Kamran,
First of all PK-GRID-CA is an offline CA, which mean it is totally secure as none of its critical components are attached with any network, this is one way of establishing a CA the other one is having an online CA for which you required an HSM (FIPs level three atleast) which is really expensive. OCSP is something that is required to ensure the availability of up to date information about revocation and it could be setup easily. NCP is using CRL for revoked certificate and it is supported by the LCG project, as NCP is part of this project. I am surprise to see your comment "no root key protection under-writings" in the case of off-line CA root key is protected by not connecting the signing machine to any network and its the physical security that becomes important and it is covered in the CP/CPS. Furthermore PK-GRID-CA is member of IGTF and there are hundreds of CAs that are part IGTF they are running with same kind of CP/CPS as these CP/CPS are written according to RFC 3820 none of the members of IGTF has raise any concern about the security of system. There is a due process in IGTF to get accreditation as CA; a committee accredited PK-GRID-CA after reviewing its CP/CPS. Now NCP is running this CA for almost 8 years and not a single problem related to security has been reported.
The current accreditation of PK-GRID-CA is from IGTF that's why they are issuing certificate to research community for other purposes a new CP/CPS document is required. If there is a community that required digital certificate other than research purposes they can come under the new CP/CPS. In this case certificates are going to be much cheaper than NIFT and more people will be able to afford the digital certificate.
In my opinion we need a national CA for this purpose and not some forging company having a potential access to our critical financial and government data (VeriSign in this case is that company).
Br
Sajjad
From: Kamran Meer <kamran.meer@gmail.com>
To: pakgrid@yahoogroups.com
Sent: Friday, January 27, 2012 3:14:26 PM
Subject: Re: [pakgrid] Re: PKI in Pakistan
Thanks to Sajjad for bringing this to our knowledge, however if you read the CPS of this PKI established at QAU-NCP Islamabad, many of the controls have "No Stipulation", they have no key escrow arrangement, no up-time guarantees, no BCP guarantees, no OCSP and no root key protection under-writings.
The CPS also adds the disclaimer: "The PK-Grid-CA will issue certificates to entities, which are based and/or having offices in Pakistan, and are intended for cross-organizational sharing of resources. The focus of these organizations should also be in research and/or education."
In conclusion, this PKI is a great initiative taken long before NIFT but it does not compare to the features of NIFT which carries far less risk and root key protection is under-written by VeriSign PKI (now owned by Symantec). Users (even if they belong to research or education organizations) should use the services of the QAU-NCP PKI CA with full knowledge of the prevalent risks, as I have identified above.
Regards,
Kamran Meer
On Thu, Jan 26, 2012 at 11:10 PM, Sajjad asghar <sa4_79@yahoo.com> wrote:
Natioanl center for physics has a PKI setup with the name of Pk-GRID CA ,it was established in 2004 long before NIFT. Here is website of the PK-Grid CAhttp://www.ncp.edu.pk/pk-grid-ca/.Best RegardsSajjad Asghar
From: Javed Naushahi <jnaushahi@yahoo.com>
To: "pakgrid@yahoogroups.com" <pakgrid@yahoogroups.com>; "ammar@brain.net.pk" <ammar@brain.net.pk>
Sent: Wednesday, January 25, 2012 2:51:24 AM
Subject: [pakgrid] Re: PKI in Pakistan
Dear Jafferi saheb,Do we have moe PKIs / CAs operating in the country in Education or Govt. sector?, other than e-NIFT.Is there any plan to launch low cost PKI, with decades of experience under your belt in e-security.Regards,Javed NaushahiFrom: "ammar@brain.net.pk" <ammar@brain.net.pk>
To: pakgrid@yahoogroups.com
Sent: Thursday, January 19, 2012 8:46 AM
Subject: Re: [pakgrid] URDU Content on Web
Dear Rauf Sb,
This is totally not-for-profit activity and not funded by any
organization. ( For E-Village Project ). All information is public and can
be shared with anyone interseted to get it.
Information provided by few friends has been of great help but as you all
know this is a big job and I would request all those who can help may
provide the required information.
Regards,
Ammar Jaffri
__._,_.___
.
__,_._,___
No comments:
Post a Comment