Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: PKI for medium scale network operations

  • From: Gadi Evron
  • Date: Sat Mar 26 04:37:47 2005

[snip]

organization.  Also I didn't say it, but I'm not looking to identify
natural people.
[snip]

The Cisco IOS CA and Microsoft CA have the advantage of being
integrated with a lot of each vendor's products.  Once set up,
both try to simplfy on-going maintenance as long as you use
their products.  roCA and CATool are stand-alone.

Several people pointed out certificates don't fix the compromised
device problem.  Public/private key pairs are only as secure as the
private key.  The length of the key doesn't matter if you can get
a copy of the private key.
It all sounds reasonable, except for one thing.
PKI being the mess that it can be... it might be within reason to explore the general world of PKI, because building two separate infrastructures would potentially be a serious waste of resources.

As to the security of the devices themselves, there is no easy solution (and believe me, I tried!).
As long as the authentication mechanism is stored locally at the front lines, the risk will always be higher.

You *could* use a third box to authenticate both, but I find that idea wasteful. You could use one third box to authenticate all devices, but I personally find that a risk by itself.
I didn't figure this out yet.

Gadi.




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.