Large IT Infrastructure (e.g. PKI)
Since 1999, we have served as security engineers, consultants and auditors of Public Key Infrastructure (PKI) that use smartcards to enable network access, digitally sign and encrypt data and enable non-repudiation. We have further helped clients design PKIs that use smartcards for tamper-resistant storage for PIN codes, private keys, digital credentials and other sensitive personal data. Our PKI work has been in the oil and gas, finance, private banking, civil government and nationals security sectors. Since PKI technology is complex and must work seamlessly with all aspects of the enterprise IT infrastructure, a trustworthy solution is challenging to create. Indeed, the hacking and eventual bankruptcy of the Dutch Government PKI Programme’s Certification Authority (DigiNotar) in 2011 is a cautionary tale of the disastrous effects of untrustworthy solutions. Our practical and theoretical understanding of PKI can help create trustworthy solutions as follows:
Many PKI projects run into trouble because of unclear short-term and long-term requirements. The requirements are technical and business as follows:
- Business Requirements: We can either specify or clarify explicit and derived business requirements for PKI, non-repudiation and encryption .
- PKI Technical Requirements: We help select and engineer cryptographic solutions to enable the trusted handling of keys and certificates.
Trust Model Selection or Clarification
A trust model helps PKI participants to determine the degree of confidence to place in a given certificate. We help you choose the right model. Typical ones are:
- Internally managed: We help create a clear and auditable PKI backed by obligatory policies.
- Chaining Trust: If required, we can help select, audit and buy-in a PKI service for registered and enrolled users and devices.
- Mixed Model: You may chose a trust model that separates internal and external PKI services. Justifications may include retention of control over user enrolment and auditing requirements.
PKI Policy Structure
We are greatly skilled at the authoring and reviewing of the following PKI policy documents:
- Certificate Policy (CP): The CP contains technical, legal and business rules applicable to all.
- Certification Practice Statement (CPS): Here we show how CAs and their agents comply with the rules mandated by the CP; and
- Other Policies: We also create policies such as relying party and subscriber agreements.
- PKI Technical Architecture Design
We translate PKI technical requirements into solutions to support business needs. We can create and/or oversee the creation of the following design documents:
- PKI High Level Design (HLD): The HLD gives an overview of how entities such as CAs; Subordinate CAs; RAs; Hardware Security Modules (HSMs) and Smartcard systems collaborate.
- PKI Low Level Design (LLD): This is a detailed view of how the solution delivers services such as SSL certificates; digital signatures etc.
- Device LLDs: The LLDs cover devices such as HSMs and Smartcard management systems.
Our audits help clients establish if CA or RA practices comply with the CP and associated CPS. At the request of Policy Management Authorities, we inspect documents, premises, staff and data of any PKI entity.