PKI CP/CPS

Michael Butash michael at butash.net
Thu Feb 25 12:20:47 MST 2021


In my experience, some 20 years of such, I've not ever really seen any
customer do certs properly in a large enterprise that isn't just handling
public certs, be it soho up to CIP utilies or .gov providers.  Internal
CA's are far more nefarious and prone to mismanagement.  Mostly because
there aren't any good products to manage them out there, M$ servers as a CA
is about the most common denominator, but windows admins don't tend to get
security or networking to make proper use of them.  I do mostly networking,
but trying to get any customer to use certs for encryption security is
pulling teeth as they simply have no clue of managing them.  Most still
can't generate an internal CA and client certs to save their lives via AD
as a platform.

Integrated Microsoft CA is about the *best* out there, if you like windoze,
and only use windoze.  They finally made their CA server non-ActiveX only
finally as of maybe server 2012 with some service packs, but it was always
still janky to use outside microsoft environments.  In a completely M$
environment, maybe, but nothing else handles it too well.  Plus the win
admins typically don't know what a SAN is or setting roles in AD/IIS to
handle any of it properly.  Throw linux, mac or anything !windoze and
that's when things get out of control.

Admittedly, I've not looked into enterprise CA options in the past several
years, but a cohesive product is hard to find.  Your mileage may vary, but
just know this is not a simple or sadly practical thing.  Most like to
pretend their "internal" network is actually secure, and ignore it.  Lack
of automagical products (at whatever expense) make it difficult, or
adequately knowledgeable staff continuously make it difficult.

I'd love to hear some input on this, x.509 has been a thorn in my side for
decades as simply infeasible.  Mostly I just STFU and pretend I know not of
what they speak in those discussions.

-mb


On Thu, Feb 25, 2021 at 10:39 AM kelly stephenson via PLUG-discuss <
plug-discuss at lists.phxlinux.org> wrote:

> I have to put together Certificate Policies and Certification Practice
> Statements for PKI.  Embedded security is my wheelhouse so I'm reaching out
> to the IT brain trust for advice.  I'm looking at using the RFC 2527 format
> and/or  NISTIR 7924 as a guiding tool.  Does anyone have any examples or
> advice?  I've read a few books on PKI CP/CPS but in no way an expert but I
> do understand the concepts.  I'm just trying to not screw this up.
> Any and all information is appreciated.
>
> Thanks
> Kelly
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20210225/f410c618/attachment.html>


More information about the PLUG-discuss mailing list