Designing a Certification Authority Hierarchy in .NET framework

Drawing QR Code in .NET framework Designing a Certification Authority Hierarchy

Designing a Certification Authority Hierarchy
Creating QR Code 2d Barcode In .NET
Using Barcode drawer for .NET Control to generate, create Quick Response Code image in VS .NET applications.
www.OnBarcode.com
QR Scanner In VS .NET
Using Barcode scanner for VS .NET Control to read, scan read, scan image in Visual Studio .NET applications.
www.OnBarcode.com
The decision as to which protocols to implement for CRL or CA certificate publication depends on the frequency at which you publish URLs, the protocols allowed to traverse network firewalls, and your network s operating systems. To ensure maximum availability, the URLs should be ordered so that the most common protocol used for CRL or CA certificate retrieval is listed first in the CDP extension. Other protocols are then listed in their order of usage.
Generating Bar Code In VS .NET
Using Barcode printer for .NET Control to generate, create bar code image in .NET framework applications.
www.OnBarcode.com
Bar Code Reader In VS .NET
Using Barcode decoder for .NET Control to read, scan read, scan image in .NET framework applications.
www.OnBarcode.com
Note Methods for defining CRL and CA certificate publication URLs are discussed in detail in 6.
Paint QR Code ISO/IEC18004 In Visual C#.NET
Using Barcode creator for .NET framework Control to generate, create Denso QR Bar Code image in .NET applications.
www.OnBarcode.com
QR Code Generator In .NET
Using Barcode creation for ASP.NET Control to generate, create Denso QR Bar Code image in ASP.NET applications.
www.OnBarcode.com
Determining Business Requirements
Denso QR Bar Code Maker In VB.NET
Using Barcode drawer for .NET framework Control to generate, create QR Code ISO/IEC18004 image in Visual Studio .NET applications.
www.OnBarcode.com
Printing PDF-417 2d Barcode In .NET Framework
Using Barcode creation for .NET Control to generate, create PDF-417 2d barcode image in .NET applications.
www.OnBarcode.com
Business requirements define an organization s goals. Typically, they define how an organization expects the PKI to improve its processes. For example, the following business requirements can affect a CA hierarchy design:
Encode QR Code ISO/IEC18004 In .NET Framework
Using Barcode creation for Visual Studio .NET Control to generate, create QR Code image in .NET applications.
www.OnBarcode.com
GS1 128 Drawer In Visual Studio .NET
Using Barcode creation for Visual Studio .NET Control to generate, create GS1-128 image in Visual Studio .NET applications.
www.OnBarcode.com
Minimizing PKI-associated costs. When reviewing CA hierarchy designs, you might have to choose a CA hierarchy that deploys the fewest CAs. For example, some organizations combine the roles of policy CAs and issuing CAs into a single CA in the hierarchy, deploying a two-tier hierarchy rather than a three-tier hierarchy. High availability of certificates. An organization can require that a certificate be consistently available to ensure that no certificate requests fail due to a CA being down for any reason. To ensure that a certificate is consistently available, you must publish the certificate template at more than one CA in the CA hierarchy, protecting against the failure of a single CA. In addition, you can choose to deploy CAs at major hub sites on your network so that certificate requestors can request the certificate from a local CA, rather than one separated by several WAN links. Liability of PKI participants. A CA hierarchy includes policy CAs that define the liability of the CA in the CPS. The liability should provide sufficient coverage for transactions that use CA-issued certificates. This liability definition must be reviewed by your organization s legal department to ensure that the definitions are legally correct and binding upon all participants in the PKI.
Draw ANSI/AIM Code 39 In VS .NET
Using Barcode generator for .NET framework Control to generate, create Code-39 image in Visual Studio .NET applications.
www.OnBarcode.com
ANSI/AIM Code 93 Encoder In VS .NET
Using Barcode printer for Visual Studio .NET Control to generate, create Uniform Symbology Specification Code 93 image in .NET framework applications.
www.OnBarcode.com
Determining External Requirements
ECC200 Reader In .NET Framework
Using Barcode recognizer for .NET Control to read, scan read, scan image in .NET applications.
www.OnBarcode.com
Decoding Code-39 In None
Using Barcode scanner for Software Control to read, scan read, scan image in Software applications.
www.OnBarcode.com
Not all requirements are defined by an organization. In some cases, especially if you expect to use certificates in conjunction with other organizations, you might have to
2D Barcode Printer In Visual Basic .NET
Using Barcode encoder for .NET Control to generate, create 2D Barcode image in Visual Studio .NET applications.
www.OnBarcode.com
Scanning DataMatrix In None
Using Barcode decoder for Software Control to read, scan read, scan image in Software applications.
www.OnBarcode.com
Part II: Establishing a PKI
Making Matrix Barcode In .NET Framework
Using Barcode creator for ASP.NET Control to generate, create Matrix 2D Barcode image in ASP.NET applications.
www.OnBarcode.com
Paint Code 128 Code Set A In Objective-C
Using Barcode creator for iPad Control to generate, create Code 128 image in iPad applications.
www.OnBarcode.com
meet external requirements, such as those defined by other organizations or by the governments of countries in which your organization conducts business. Examples of external requirements include:
Draw EAN128 In None
Using Barcode maker for Microsoft Word Control to generate, create UCC.EAN - 128 image in Office Word applications.
www.OnBarcode.com
Read Code-39 In Visual C#
Using Barcode reader for .NET framework Control to read, scan read, scan image in VS .NET applications.
www.OnBarcode.com
Enabling external organizations to recognize employee-used certificates. Different solutions exist for this scenario. You can choose to not deploy an internal PKI and simply obtain certificates from commercial CAs, such as VeriSign or RSA. Alternatively, you can use cross-certification or qualified subordination to define which external certificates you trust.
Note Cross-certification and qualified subordination are discussed in detail in 13.
Using your organization s certificate at partner organizations. In some cases, the certificates issued by your CA hierarchy will be used by your employees for encryption or signing purposes at another organization. You might have to create custom certificates to meet the requirements of the other organization. One solution is to implement a CA hierarchy that defines separate internal and external policy CAs. (See Figure 5-10.)
Root CA
External
Internal
Partners
Europe
Asia
Figure 5-10
Implementing separate policy CAs for internal and external use
In this example, all certificates for use with partners are issued by the Partners CA. If different issuance policies are required for these certificates, the issuance policies are defined in the CPS deployed at the external policy CA.
Industry or government legislation. Several countries have legislation that affects the design of a CA hierarchy. For example, Canada recently passed
5:
Designing a Certification Authority Hierarchy
the Personal Information Protection and Electronic Documents Act. This act regulates the management of a customer s personal information when held by a private-sector company. The act requires that someone be accountable for compliance and this person should be involved in the deployment and design of the CA hierarchy to ensure that all requirements of the Act are enforced in the design.
More Info You can obtain a copy of Canada s Personal Information Protec tion and Electronic Documents Act at http://laws.justice.gc.ca/en/p-8.6 /91355.html.
Certificates for nonemployees. If you issue certificates to nonemployees, you must ensure that the CPS outlines nonemployee responsibilities and clearly defines the revocation policy in case you must revoke a certificate. Using a CA hierarchy like the one defined in Figure 5-10, you can deploy a separate certificate policy that includes greater detail for external clients. Validating certificates on external networks. When designing the configuration of each CA, you must ensure that the CRL and CA certificate are published to externally accessible locations, such as a Web server in a demilitarized zone (DMZ). This allows certificate validation to take place from the external network when using applications, such as extranet Web servers and VPN solutions when connections originate from the Internet.
Copyright © OnBarcode.com . All rights reserved.