Wednesday, 1 February 2012

Re: [pakgrid] Re: PKI in Pakistan

 

Zahid is correct. 

However the point I had raised was that both subscribers and relying parties should make themselves familiar with the practices and policies of the CA which they utilize, especially in case of financial transactions.

Since subscribers and relying parties both will probably not have enough technical and legal expertise to evaluate the CA practices and policies, the issue of regulation of CA's becomes important. A regulated CA (regulated by a govt. body or by the central bank for example) will carry a greater level of trust (both inside and outside a court of law) than an unregulated one.

On Mon, Jan 30, 2012 at 4:55 PM, Zahid Jamil <zahid@jamilandjamil.com> wrote:
 

It is going too far to say that there is no legal value to such a CA. 

It depends on the practices and policies of the CA.  a digital signature does not have to be one that is validated by a third party.  Its good that it is so it will provide greater assurance.  But it does not have to in order to comply with legal requirements.

 

 

Best regards,

 

Zahid Jamil

Barrister-at-law

Jamil & Jamil

Barristers-at-law

219-221 Central Hotel Annexe

Merewether Road, Karachi. Pakistan

Cell: +923008238230

Tel: +92 21 35680760 / 35685276 / 35655025

Fax: +92 21 35655026

www.jamilandjamil.com

 

Notice / Disclaimer

This message contains confidential information and its contents are being communicated only for the intended recipients . If you are not the intended recipient you should not disseminate, distribute or copy this e-mail.  Please notify the sender immediately by e-mail if you have received this message by mistake and delete it from your system. The contents above may contain/are the intellectual property of Jamil & Jamil, Barristers-at-Law, and constitute privileged information protected by attorney client privilege. The reproduction, publication, use, amendment, modification of any kind whatsoever of any part or parts (including photocopying or storing it in any medium by electronic means whether or not transiently or incidentally or some other use of this communication) without prior written permission and consent of Jamil & Jamil is prohibited.

 

From: pakgrid@yahoogroups.com [mailto:pakgrid@yahoogroups.com] On Behalf Of Imran
Sent: 30 January 2012 14:34
To: pakgrid@yahoogroups.com
Subject: [pakgrid] Re: PKI in Pakistan

 

 

There is no legal value for offline CA and offline CAs normally used in a localized environment

Online CAs works as a 3rd party trust provider in a trust relationship environment. In this model of trust relationships, a CA is a trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon the certificate (recipient).

Cost factors of a digital certificate
----------------------------------------
To establish online CA trust, CA needs to follow a set of protocols/procedures and it is the main driver of the certificate cost.

• Maintaining minimum of 4 or more physical security tiers for datacenter (NIFT is following 7 physical Tiers standard recommended by US Department of Defense (DoD) for datacenters.
• Maintaining ISO 27001 certification and annual Audits
• Maintaining WebTrust certification and annual Audits
• Maintaining CP/CPS.
• Maintaining Certificate Revocation List and Warranties according to CP/CPS.
• Maintaining security segregation of duties for different responsibilities in IT operations (minimum 12 member IT operational team is required)
• Maintaining a Validation Department for RA functionality or the verification of provided credentials by customers (minimum 3 member validation team is required).
• Maintaining a separate shareholders team (minimum 5 or more members) and the distribution of digital blocks of single security key to Command and Control authorization for functions like initiating new CAs and Renew/Rekey.
• Maintaining a separate shareholders team (minimum 3 or more members) and the distribution of digital blocks of single security key for the functions like backups and recovery.
• Maintaining DR site (replica of production) with separate staff.
• Online trusted CA creation requires a separate department called Certificate Bureau Office (CBO) and subordinate CA's key management team coordinates with CBO to establish trust between root and intermediate CAs.

Current online digital certificate cost and how we can reduce it further
----------------------------------------------------------

NIFT is already issuing digital certificates to a large number of users for around Rs. 600 per year. Even there are few more cases where we are selling certificates for less than Rs. 1000 per year. So cost should not be an issue now days.

We are reinventing CA every time for each organization(i.e SECP, FBR). Unless Accreditation Counsel for CAs in Pakistan (which is not much active these days) agrees on a single skeleton of Digital Certificates for all purpose usage like NADRA's NIC, we can not reduce the cost.

Imran Ashraf
Manager Security Business
NIFTeTRUST | NIFT


__._,_.___
Recent Activity:
.

__,_._,___

No comments:

Post a Comment