I, like Gadi, am certianly no PKI expert. I've seen folks get badly burned by this fire though... On Sat, 26 Mar 2005, Sean Donelan wrote:
Most people figured out I was not looking for a "public" CA solution. There is very little reason why internal certificates need to be recognized world-wide, or by anything outside of the internal organization. Also I didn't say it, but I'm not looking to identify natural people.
Kerb could also do this for you, routers (IOS atleast) already support Kerb for authentication... So does *nix, NT/XP/2K/2k3, MacOSX. Does this meet the need for authentication type things?
Instead of using community names for SNMP or shared secrets for VPN, an alternative for a network operator is some form of public/private keys.
You could, I'm fairly certain, hack in kerb auth to VPN clients and possibly to SNMP, though I admit to not being an ASN.1 expert either :( (kerb and snmp use this in their packing methods, rigth?)
Several people pointed out certificates don't fix the compromised device problem. Public/private key pairs are only as secure as the private key. The length of the key doesn't matter if you can get a copy of the private key.
It's the compromised device problem that was the white-hot-flame-of-love for the last PKI deployment I witnessed in action... Anwyay, Kerberos? Might it also be considered for your situation? -Chris