[78933] in North American Network Operators' Group
Re: PKI for medium scale network operations
daemon@ATHENA.MIT.EDU (Sean Donelan)
Sat Mar 26 02:20:14 2005
Date: Sat, 26 Mar 2005 02:19:49 -0500 (EST)
From: Sean Donelan <sean@donelan.com>
To: nanog@merit.edu
In-Reply-To: <42449821.6080702@linuxbox.org>
Errors-To: owner-nanog@merit.edu
Most people figured out I was not looking for a "public" CA solution.
There is very little reason why internal certificates need to be
recognized world-wide, or by anything outside of the internal
organization. Also I didn't say it, but I'm not looking to identify
natural people.
Instead of using community names for SNMP or shared secrets for VPN,
an alternative for a network operator is some form of public/private
keys.
1. Cisco IOS CA server (http://www.cisco.com/)
2. Microsoft CA software (http://www.microsoft.com/)
3. roCA, based on TinyCA (http://www.intrusion-lab.net/roca/)
4. CATool (http://www.open.com.au/)
The Cisco IOS CA and Microsoft CA have the advantage of being
integrated with a lot of each vendor's products. Once set up,
both try to simplfy on-going maintenance as long as you use
their products. roCA and CATool are stand-alone.
Several people pointed out certificates don't fix the compromised
device problem. Public/private key pairs are only as secure as the
private key. The length of the key doesn't matter if you can get
a copy of the private key.
