Re: [Ejbca-develop] RSA PKI versus EJBCA open-source approach

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

EMC2 has announced end of life and end of support for the RSA Certificate
Manager product. This in itself narrows down your choice :)

As an end user not affiliated with Primekey in anyway -

EJBCA is probably the best enterprise quality PKI product available today.
Not that you won't have hiccups along the way but overall it is the right
fit for most PKI projects with regards to standards and regulatory
compliance, security, scalability and integration with other systems.

The other points you raise are a little too generic for fruitful
discussion. For e.g. you should write and implement a Certificate
Policy/Certification Practices Statement to cover specific issues such as
patch and vulnerability management no matter what product you choose.

Best regards,
somesh

On Tue, Oct 18, 2016 at 12:38 PM, asad <a.a...@gm...> wrote:

> Hello ,
>
> I'm caught in the struggle to decide what is the best PKI approach for a
> government setup.
>
> Most government are not keen on approaching a closed source solution or a
> particular vendor PKI solution, they want trust in code.
>
> I have seen on topic of security EJBCA holds Common Criteria EAL4+
> Certification, comparing this with RSA company which holds patents rights
> over RSA cryptography algorithm it seems difficult to reason that their
> solution will offer implementation which is less secure in any way.
>
> My other argument is even when you can see the "code" it doesn't directly
> translate that you can immediately or even have the skills to identify
> security bugs in the implementation of some function i.e hashing or code
> signing etc.
>
> Also, in case of open-source community whom to blame responsibility, is it
> single person or a community? Or its of shared responsibility.
>
> Going with RSA based PKI solution, I don't have to go and look into the
> code to find trust its what i believe is designed and coded in the
> solution.
>
> At the end what is inherent in both approaches is the poor implementation
> or management of CA , lack of processes defined for notifying user in case
> of compromised certificates etc. The weakness of operational controls
> exists.
>
> Please advice me  on how to choose.
>
> thanks
>
> regards
> asad
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
>