Sean Donelan wrote:
Routers, IP phones, VPN, etc are starting to get reasonable support for certificates. So network operators may need some PKI as part of their infrastructure (rather than the traditional application-layer PKI such as Web/SSL).
But there seems to be only two choices for Public Key Infrastructure. The do it yourself crowd which requires a lot of expertise just to keep running, and the we'll do everything for you crowd which is massive in scale and price.
Have any network operators found something in between? Simple enough that after it is set up, an administrative person can handle the day to day operation. But not so expensive, you can justify the infrastructure for the relatively certificates being managed? Most network infrastructure is internal, so there is no need for a world-wide PKI for internal stuff.
Microsoft is actually doing an impressive job building it into their systems. Is that the direction network operators are going?
PKI is messy, yet necessary, business. I honestly believe that you need to run your own, but what does that mean? And first, do you need it? Do you need your own CA? Do you issue your own smart cards? How do you handle new employees, old employees or expirations? How do you handle integrating the technology and how the heck can you get it all to work? Now, I'm as far from being a PKI expert as one can be.. erm.. But still, I personally strongly believe in two half-conflicting issues: 1. DO-it-yourself for every organization on the planet is a waste of resources. 2. Allowing others to manage what your organization does is wrong. So what is the path in the middle? It comes down to size. How much are you willing to invest when considering your needs? I'd first look into if you are actually interested into going for this mess. And even if you want to run your own shop; don't re-invent the wheel, and don't pay someone to do everything for you. This is rather off-topic, but my inbox is open to anyone. Gadi.