North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: PKI for medium scale network operations

  • From: Gadi Evron
  • Date: Fri Mar 25 17:59:50 2005

Sean Donelan wrote:
Routers, IP phones, VPN, etc are starting to get reasonable support
for certificates.  So network operators may need some PKI as part
of their infrastructure (rather than the traditional application-layer
PKI such as Web/SSL).

But there seems to be only two choices for Public Key Infrastructure.  The
do it yourself crowd which requires a lot of expertise just to keep
running, and the we'll do everything for you crowd which is massive
in scale and price.

Have any network operators found something in between?  Simple enough
that after it is set up, an administrative person can handle the day
to day operation.  But not so expensive, you can justify the
infrastructure for the relatively certificates being managed?
Most network infrastructure is internal, so there is no need for
a world-wide PKI for internal stuff.

Microsoft is actually doing an impressive job building it into
their systems.  Is that the direction network operators are going?
PKI is messy, yet necessary, business. I honestly believe that you need to run your own, but what does that mean? And first, do you need it?

Do you need your own CA? Do you issue your own smart cards? How do you handle new employees, old employees or expirations? How do you handle integrating the technology and how the heck can you get it all to work?

Now, I'm as far from being a PKI expert as one can be.. erm..
But still, I personally strongly believe in two half-conflicting issues:
1. DO-it-yourself for every organization on the planet is a waste of resources.
2. Allowing others to manage what your organization does is wrong.

So what is the path in the middle?

It comes down to size. How much are you willing to invest when considering your needs? I'd first look into if you are actually interested into going for this mess. And even if you want to run your own shop; don't re-invent the wheel, and don't pay someone to do everything for you.

This is rather off-topic, but my inbox is open to anyone.

Gadi.