[Ejbca-develop] RSA PKI versus EJBCA open-source approach

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello ,

I'm caught in the struggle to decide what is the best PKI approach for a
government setup.

Most government are not keen on approaching a closed source solution or a
particular vendor PKI solution, they want trust in code.

I have seen on topic of security EJBCA holds Common Criteria EAL4+
Certification, comparing this with RSA company which holds patents rights
over RSA cryptography algorithm it seems difficult to reason that their
solution will offer implementation which is less secure in any way.

My other argument is even when you can see the "code" it doesn't directly
translate that you can immediately or even have the skills to identify
security bugs in the implementation of some function i.e hashing or code
signing etc.

Also, in case of open-source community whom to blame responsibility, is it
single person or a community? Or its of shared responsibility.

Going with RSA based PKI solution, I don't have to go and look into the
code to find trust its what i believe is designed and coded in the
solution.

At the end what is inherent in both approaches is the poor implementation
or management of CA , lack of processes defined for notifying user in case
of compromised certificates etc. The weakness of operational controls
exists.

Please advice me  on how to choose.

thanks

regards
asad