[snip]
organization. Also I didn't say it, but I'm not looking to identify natural people.
[snip]
The Cisco IOS CA and Microsoft CA have the advantage of being integrated with a lot of each vendor's products. Once set up, both try to simplfy on-going maintenance as long as you use their products. roCA and CATool are stand-alone.
Several people pointed out certificates don't fix the compromised device problem. Public/private key pairs are only as secure as the private key. The length of the key doesn't matter if you can get a copy of the private key.
It all sounds reasonable, except for one thing. PKI being the mess that it can be... it might be within reason to explore the general world of PKI, because building two separate infrastructures would potentially be a serious waste of resources. As to the security of the devices themselves, there is no easy solution (and believe me, I tried!). As long as the authentication mechanism is stored locally at the front lines, the risk will always be higher. You *could* use a third box to authenticate both, but I find that idea wasteful. You could use one third box to authenticate all devices, but I personally find that a risk by itself. I didn't figure this out yet. Gadi.