From: Tham W. <ejb...@pr...> - 2012-07-16 11:21:30
|
Hello, I agree with Martin but thought I would throw my two cents in there as well. First I would like to divide the problem into client side and CA side. The cost for the client side integration will largely be a function of what client software and systems you want to integrate with. I know very little about this side. On the CA side I have more experience. In my experience the cost and time required for setting up and maintaining the CA is a function of the required: * Security/Trust High security requires HSM, more personel because of role separation, hardening, access control, physical security etc. Trust may require more documentation and audit depending on the relationship with relying parties. If a FIPS or Common Criteria certified CA is required that will limit your choices and possibly increase your cost in comparison to other alternatives. * Availability/Reliability High availability/reliability costs more because you will need redundancy in staff and in components. You will need multiple CA-servers/ Database Servers, perhaps multiple site setup etc. You will also want to have support from an integration specialist and/or software vendor if you require high availability. * Performance Cost may rise if you need a high performance solution. You may see increased cost in terms of hardware and staffing needs if you have high volumes and performance requirements. Most small CA implementations are NOT performance intensive though. One issued certificate per second is 3600 issued certificates per hour ofc. * Certificate Enrollment Process. What your staffing needs are going to be are heavily dependent on how automated and distributed your enrollment process is. If you are enrolling a lot of users/machines you should automate it or expect a lot of manual labour. This cost will be more related to the card solution you choose and again is not my area. Due to differences in the above the time needed for setting up a CA will vary greatly from a one person - two weeks project to a four people - three months project. The effort for maintainig will vary from one person part time to many people full time. I have not discussed revocation and revocation information here, but I think it will be largely the same function as above. I realize this 'it depends' answer can be frustrating. I really can't be more precise than this without knowing more about the requirements, but I can tell you that if you score high on some of the requirements above it will probably not be very cheap. I hope this was a useful post, everyone is welcome to correct me or agree! Cheers, Tham Wickenberg / PrimeKey Solutions On 7/12/12 6:18 PM, Hans Witvliet wrote: > On Thu, 2012-07-12 at 10:27 +0200, Andreas Bürki wrote: >> Hi Hans >> >> How do you define: >>> 1) fully implemented official PKI >> more specific, how do you define >> >> official? >> > Hi Andreas, > > perhaps i was a bit too brief there... > > I know that there are companies/organisation that have taken the lengthy > trouble and have certificates signed by commercial CA's. When employees > are hired/fired, certificates are created or revoked, etc etc etc > > > So what we see is at one hand, there are companies that start looking > for the possibilities that PKI offer, but have nothing implemented > _yet_). > > And on the other hand, small organisations that do not want/need a > trusted third party (only two parties involved) but want to use the > possibilities that asymetric keys and certificates offer. > Obviously, the needs of an airplane manufacturer are somewhat different > from that of a table-tennis-organisation ;-) But even there, there must > be a connection between the management of new/leaving members and > revocation of their certificate. > > So, to summarize, if a small org or medium company needs to start > enrolling certificates & smartcards, can anything been said about > - amount of time for implementing > - cost estimation > > I have no intention of being part of it, but if i say to a potential > customer: > "all your members/workers need a smartcard holding certificates" > and > "your organisation must take care of issuing and revoking", > I can expect the questions that if they don't have that, what it will > cost them and how long it will take.... > > Hence my question > > Hans > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop |