开发者

Microsoft PKI or PKI Vendor? [closed]

Closed. This question is opinion-based. It is not currently accepting answers.

Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.

Closed 4 years开发者_StackOverflow中文版 ago.

Improve this question

I have a question related to PKI Infrastructure , should an organization go with Microsoft PKI or an independent separate PKI Infrastructure ? Is there any licensing restrictions if I user Microsoft PKI Infrastructure ? Or should I get an independent PKI infrastructure from a vendor that offer PKI TSA and SP(Signature Proof) Infrastructure.


Any PKI infrastructure you choose is bound to have it's up sides and it's downsides. I can tell you from experience that the Microsoft PKI products generally play pretty well with other Microsoft products but tend to have interoperability problems with other non-Microsoft products. Over time, my understanding is is that their oldest PKI products have gotten progressively more standards compliant, but they still have their quirks.

Time stamping authorities are useful if you have concerns about the replay of signed messages:

http://en.wikipedia.org/wiki/File:Trusted_timestamping.gif

But it means that every end entity will need to use that TSA when generating signatures.

If you're using your digital certificates for SSL, you won't need it, unique per-transaction proof of private key is part of the protocol. If you are doing web authentication, many authentication mechanisms will use either SSL client auth or do something to force the private key to sign a unique value to assure that there is no man in the middle attack.

I'm not quite sure what you mean by "Signature Proof". If you mean including a random, and unique value in every hash to avoid replay attacks, then the same advice as TSA applies. But I'm guessing here.

It will all come down to -- what are you using it for? how well does it need to perform? how do users and other systems need to interface with it?

Given that PKI is expensive, not matter how you slice it, you'll want to take some serious time thinking this one out. Between the cost of licenses, the cost of installation (manhours) and the cost of maintenance, it's a major commitment worth system level requirements development and design.


The question really comes down to the scope of use. If the PKI will only be used internally within your organization, then Microsoft's Certificate Services product provides a decent PKI platform. However, if you're certificates may be used externally -- customers, vendors, etc. -- then you probably want to investigate using a trusted third-party PKI provider like VeriSign, Cybertrust (Verizon Business), etc.

We run Microsoft CS internally and it works well, particularly since one of our primary use cases is auto-enrollment of certificates via Active Directory. It allows IIS, VPN clients, etc. to automatically get certificates issued to them on an as-needed basis.

It's not the most full-featured PKI product I've worked with. If you're looking for a really advanced feature set, then you should look at Red Hat's Certificate Services product. It's also open-sourced as the Dogtag PKI project.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜