Menu
▾
▴
Re: [Ejbca-develop] rough estimation
|
From: Tomas G. <to...@pr...> - 2012-07-17 11:08:32
|
Oh I forgot one thing ;-) >> I had a vague hope that someone might say: >> For hotel-chain-such-and-so (ZZZ employees) we needed X people for Y >> months, for getting all procedures legally water-tight. >> Specially interfacing towards P&O-software XYZ was a real PITA. Especially integrating with windows smart card logon and such is a PITA. It can be done, but many administrators have unrealistic expectations how easy (and cheaply) it should be to integrate smart cards in an organization. Cheers, Tomas > On 07/16/2012 09:59 PM, Hans Witvliet wrote: >> On Mon, 2012-07-16 at 13:21 +0200, Tham Wickenberg wrote: >>> Hello, >>> >>> I agree with Martin but thought I would throw my two cents in there as >>> well. >> Tnx, anything to avoid tunnelvision from my side is welcome.. >> >>> First I would like to divide the problem into client side and CA side. >>> The cost for the client side integration will largely be a function of >>> what client software and systems you want to integrate with. I know very >>> little about this side. >> Client side is dealt with for 100% >> >>> On the CA side I have more experience. In my experience the cost and >>> time required for setting up and maintaining the CA is a function of the >>> required: >>> >>> * Security/Trust >>> High security requires HSM, more personel because of role separation, >>> hardening, access control, physical security etc. Trust may require more >>> documentation and audit depending on the relationship with relying >>> parties. If a FIPS or Common Criteria certified CA is required that will >>> limit your choices and possibly increase your cost in comparison to >>> other alternatives. >>> >>> * Availability/Reliability >>> High availability/reliability costs more because you will need >>> redundancy in staff and in components. You will need multiple >>> CA-servers/ Database Servers, perhaps multiple site setup etc. You will >>> also want to have support from an integration specialist and/or software >>> vendor if you require high availability. >>> >>> * Performance >>> Cost may rise if you need a high performance solution. You may see >>> increased cost in terms of hardware and staffing needs if you have high >>> volumes and performance requirements. Most small CA implementations are >>> NOT performance intensive though. One issued certificate per second is >>> 3600 issued certificates per hour ofc. >> Obviously, when asked to advise any software for ca/ra/crl/ocsp/etc >> ejbca will be my first choice, knowing the developpers and some of their >> clients. >> >> I don't think that the costs of "the iron" will be significant, compared >> with other costs. >> >>> * Certificate Enrollment Process. >>> What your staffing needs are going to be are heavily dependent on how >>> automated and distributed your enrollment process is. If you are >>> enrolling a lot of users/machines you should automate it or expect a lot >>> of manual labour. This cost will be more related to the card solution >>> you choose and again is not my area. >>> >>> Due to differences in the above the time needed for setting up a CA will >>> vary greatly from a one person - two weeks project to a four people - >>> three months project. The effort for maintainig will vary from one >>> person part time to many people full time. >>> >>> I have not discussed revocation and revocation information here, but I >>> think it will be largely the same function as above. >>> >>> I realize this 'it depends' answer can be frustrating. I really can't be >>> more precise than this without knowing more about the requirements, but >>> I can tell you that if you score high on some of the requirements above >>> it will probably not be very cheap. >>> >>> I hope this was a useful post, everyone is welcome to correct me or agree! >> Well, it becomes clear that in this phase i do not know enough customer >> requirements to present a real case. >> I'm confident that with ejbca it gives me all the functionality for a >> single machine for a tiny organisation towards clusters of HA-capable >> subfunctions for a medium sized company. >> >> >> I had a vague hope that someone might say: >> For hotel-chain-such-and-so (ZZZ employees) we needed X people for Y >> months, for getting all procedures legally water-tight. >> Specially interfacing towards P&O-software XYZ was a real PITA. >> >> Or at the other end of the spectrum: "we tried it and you should just >> forget about it" >> >> >> Hans >> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
