Re: Recommendations for use of Policy CA in small PKI solutions



Some comments inline...
"CJespersen" <asktheexperts@xxxxxxxxxxxxxxxx> wrote in message news:17F1E581-8651-4125-9C2F-0948DCF8871A@xxxxxxxxxxxxxxxx
Hi

I am considering updated Pros and Cons about having Policy CA's as a
separate level in the CA hierarchy as opposed to having it in a combined role
together with issuing CA's.

In almost all the PKI cases I have been involved in so far, we only have two
or three levels in the CA hierarchy with or without HSM modules.

Three level CA solution : Offline Root, Offline Policy CA and two issuing CA's
Two level CA solution: Offline Root, Two or more Issuing CA

I am wondering if the use of the Policy CA is overkill in such rather small
designs
- if the Policy CA does not make use of qualified subordination using
policy.inf or cross-certification with other companies CA, could you say that
the use of a policy CA is overkill?

Probably

- if the Policy CA is being used with or without qualified subordination
specified in a policy.inf file, would it be ok to have the policy CA online
as part of the domain, even though it would be a standalone sub-CA. This
would make it a lot easier to manage.
I would rather you not deploy it at all rather than put it online. Easiness <> security

- Is it possible at all to have the policy CA being standalone, non-domain
and still be able to use the qualified subordination features? It seems that
the signing of qualified subordination requires v2 templates which are
normally only available on an enterprise OS and Enterprise CA?

If you look at the whitepaper, we describe how to generate the qualified subordination signing certificate from a standalone CA

We typically restrict which Issuing CAs are able to issue which certificates
based on which CA's the templates are published on and together with
permissions on the templates, this is often enough, when the hierarchy is as
small as mentioned and especially when only a few number of persons
administers the CA's in a given company.

Yep

Thanks in advance for any inputs/thoughts on this subjects. Links to white
papers about the use of Policy CA's with pros and cons would be appriciated.

I am talking more about this in the upcoming second edition of my PKI book


kind regards
Claus

--
Claus Jespersen
WM-data Denmark


.



Relevant Pages

  • Re: Ping: The Committee
    ... squabbling. ... is the group to serve its audience or the hierarchy? ... You might like to start by committing the policy to ignoring who is posting ...
    (uk.net.news.management)
  • Re: Amend charter of uk.rec.cycling.moderated
    ... I'll also point out, the moderated news group FAQ I believe your quoting was last changed in 1997, and it's a FAQ, not a hierarchy management document. ... The previous vote (in which several committee members voted for creation of the group) led to a charter and moderation policy which not everyone believes is being followed in the way it was assumed it would be. ...
    (uk.net.news.config)
  • Re: Recommendations for use of Policy CA in small PKI solutions
    ... Offline Root, Offline Policy CA and two issuing ... if the Policy CA does not make use of qualified subordination using ... papers about the use of Policy CA's with pros and cons would be ...
    (microsoft.public.security)
  • Re: Draft RFD: uk.rec.cycling.moderated
    ... The remit of the UK Usenet Committee is to provide leadership in policy ... concerning the uk.* news hierarchy. ...
    (uk.net.news.config)
  • Recommendations for use of Policy CA in small PKI solutions
    ... or three levels in the CA hierarchy with or without HSM modules. ... Offline Root, Offline Policy CA and two issuing CA's ... if the Policy CA is being used with or without qualified subordination ...
    (microsoft.public.security)