Re: [Ejbca-develop] rough estimation

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Mon, 2012-07-16 at 13:21 +0200, Tham Wickenberg wrote:
> Hello,
> 
> I agree with Martin but thought I would throw my two cents in there as 
> well.
Tnx, anything to avoid tunnelvision from my side is welcome..

> First I would like to divide the problem into client side and CA side. 
> The cost for the client side integration will largely be a function of 
> what client software and systems you want to integrate with. I know very 
> little about this side.
Client side is dealt with for 100%

> On the CA side I have more experience. In my experience the cost and 
> time required for setting up and maintaining the CA is a function of the 
> required:
> 
> * Security/Trust
>    High security requires HSM, more personel because of role separation, 
> hardening, access control, physical security etc. Trust may require more 
> documentation and audit depending on the relationship with relying 
> parties. If a FIPS or Common Criteria certified CA is required that will 
> limit your choices and possibly increase your cost in comparison to 
> other alternatives.
> 
> * Availability/Reliability
> High availability/reliability costs more because you will need 
> redundancy in staff and in components. You will need multiple 
> CA-servers/ Database Servers, perhaps multiple site setup etc. You will 
> also want to have support from an integration specialist and/or software 
> vendor if you require high availability.
> 
> * Performance
>    Cost may rise if you need a high performance solution. You may see 
> increased cost in terms of hardware and staffing needs if you have high 
> volumes and performance requirements. Most small CA implementations are 
> NOT performance intensive though. One issued certificate per second is 
> 3600 issued certificates per hour ofc.

Obviously, when asked to advise any software for ca/ra/crl/ocsp/etc
ejbca will be my first choice, knowing the developpers and some of their
clients.

I don't think that the costs of "the iron" will be significant, compared
with other costs.

> * Certificate Enrollment Process.
> What your staffing needs are going to be are heavily dependent on how 
> automated and distributed your enrollment process is. If you are 
> enrolling a lot of users/machines you should automate it or expect a lot 
> of manual labour. This cost will be more related to the card solution 
> you choose and again is not my area.
> 
> Due to differences in the above the time needed for setting up a CA will 
> vary greatly from a one person - two weeks project to a four people - 
> three months project. The effort for maintainig will vary from one 
> person part time to many people full time.
> 
> I have not discussed revocation and revocation information here, but I 
> think it will be largely the same function as above.
> 
> I realize this 'it depends' answer can be frustrating. I really can't be 
> more precise than this without knowing more about the requirements, but 
> I can tell you that if you score high on some of the requirements above 
> it will probably not be very cheap.
> 
> I hope this was a useful post, everyone is welcome to correct me or agree!

Well, it becomes clear that in this phase i do not know enough customer
requirements to present a real case.
I'm confident that with ejbca it gives me all the functionality for a
single machine for a tiny organisation towards clusters of HA-capable
subfunctions for a medium sized company.

I had a vague hope that someone might say:
For hotel-chain-such-and-so (ZZZ employees) we needed X people for Y
months, for getting all procedures legally water-tight.
Specially interfacing towards P&O-software XYZ was a real PITA.

Or at the other end of the spectrum: "we tried it and you should just
forget about it"

Hans