Discussion:
[Ejbca-develop] RSA PKI versus EJBCA open-source approach
asad
2016-10-18 19:38:22 UTC
Permalink
Hello ,

I'm caught in the struggle to decide what is the best PKI approach for a
government setup.

Most government are not keen on approaching a closed source solution or a
particular vendor PKI solution, they want trust in code.

I have seen on topic of security EJBCA holds Common Criteria EAL4+
Certification, comparing this with RSA company which holds patents rights
over RSA cryptography algorithm it seems difficult to reason that their
solution will offer implementation which is less secure in any way.

My other argument is even when you can see the "code" it doesn't directly
translate that you can immediately or even have the skills to identify
security bugs in the implementation of some function i.e hashing or code
signing etc.

Also, in case of open-source community whom to blame responsibility, is it
single person or a community? Or its of shared responsibility.

Going with RSA based PKI solution, I don't have to go and look into the
code to find trust its what i believe is designed and coded in the
solution.

At the end what is inherent in both approaches is the poor implementation
or management of CA , lack of processes defined for notifying user in case
of compromised certificates etc. The weakness of operational controls
exists.

Please advice me on how to choose.

thanks

regards
asad
Chirpy Soft
2016-10-18 21:24:24 UTC
Permalink
EMC2 has announced end of life and end of support for the RSA Certificate
Manager product. This in itself narrows down your choice :)

As an end user not affiliated with Primekey in anyway -

EJBCA is probably the best enterprise quality PKI product available today.
Not that you won't have hiccups along the way but overall it is the right
fit for most PKI projects with regards to standards and regulatory
compliance, security, scalability and integration with other systems.

The other points you raise are a little too generic for fruitful
discussion. For e.g. you should write and implement a Certificate
Policy/Certification Practices Statement to cover specific issues such as
patch and vulnerability management no matter what product you choose.

Best regards,
somesh
Post by asad
Hello ,
I'm caught in the struggle to decide what is the best PKI approach for a
government setup.
Most government are not keen on approaching a closed source solution or a
particular vendor PKI solution, they want trust in code.
I have seen on topic of security EJBCA holds Common Criteria EAL4+
Certification, comparing this with RSA company which holds patents rights
over RSA cryptography algorithm it seems difficult to reason that their
solution will offer implementation which is less secure in any way.
My other argument is even when you can see the "code" it doesn't directly
translate that you can immediately or even have the skills to identify
security bugs in the implementation of some function i.e hashing or code
signing etc.
Also, in case of open-source community whom to blame responsibility, is it
single person or a community? Or its of shared responsibility.
Going with RSA based PKI solution, I don't have to go and look into the
code to find trust its what i believe is designed and coded in the
solution.
At the end what is inherent in both approaches is the poor implementation
or management of CA , lack of processes defined for notifying user in case
of compromised certificates etc. The weakness of operational controls
exists.
Please advice me on how to choose.
thanks
regards
asad
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
Loading...