Hello,

I'm preparing a draft proposal to implement a PKI on a large scale in
a geographical region within an exclusive agreement to cover all
sectors, including legal, financial and trading.

The implementation draft would need to reference best practices in the
industry to cover all the industries which will be required to use it
and should be satisfied by its standards.  Encryption limits do not
exist, this is not supposed to be within the US.  So, keys if 2048 bit
and beyond are acceptable.

The draft proposal would cover software requirements, hardware and
general technical expertise usually preferred to be available as
contracted staff to have the ability to manage issues in production.

Typically, an initial implementation period would have a higher number
of people as resources to kick-off the project which later is followed
by a more suitable and smaller number of people to carry things on. 
This is assuming the normal production environment supportive services
are present, such as a help desk and infrastructure technical support.

References to typical large scale projects and medium scale projects
and their particulars as well as costs in segments would be the core
of what I seek.

I've also been exposed to hardware based solutions which might be
reasonable for some degree's of security and certain sensitive
applications within the PKI entity and throughout the business
processes that serve the CA function.

I would like the information to cover the PKI's entity's internal
processes and how they impacted.  Specially in the area of storing,
archiving, issuing and decentralizing some functionality.  Also,
applying policies on authentication and naming conventions as well as
the number of users to allow and issuance.

What are the security ratings that apply to PKI solutions that are
worth while and practical as well as perhaps a few reference sites of
where they've applied them?

When providing certifications to entities or individuals, it is
expected that the software would be capable of applying uniqueness to
names with an applicable mechanism.  Sticking with the X. 500
standards is assumed.

Entertain me if I seem like expressing known and requirements which
might be the norm these days.  I'm pretty blank when it comes to this
area. :-)

Software solutions should be capable of handling the known strongest
encryptions out there.  Platforms and OS's can be any flavor, as long
as the goal is reached.

In the area of sizing systems and contingency, disaster recovery,
standards and business/process protocols.  Please express your
recommendations backed by references even if they contradict,
explaining you feel otherwise.

Whom are the top companies that provide solutions and those whom can
be combined the form the solution based on popularity and or
leadership in quality of products.

These solutions should also be sensitive to expiration and changeover
issues where old signatures can be verified till they demise.

What are the recommended groups of people within an organization, from
a purely CA point of view, recommended by the industry to provide
services during normal operational periods?

As it'll be very difficult to cover all the above with reference, your
own knowledge and argued opinion would be suitable where found to be
appropirate.

Note:

1. The amount for this question is the max google will allow and I
shall add the max tip on top of it for a good answer.

2. Method of respond should be by level of priority and in segments as
an answer and clarifications following the first available answer as
the deadline for this information to be of use is for answer segments
to start popping in within six hours from posting this question.

3. Priority #1 is in the area of costing examples of projects of this
scale in an implement and operate structure.  The rest of the
information is priority #2 and below according to what you feel is
important and is available as well as the interactions between us in
clarifications.

Thank you and good luck. :-)

/Lizardnation

---

Clarification of Question by lizardnation-ga on 30 Dec 2002 20:36 PST

-= Guzzling Coffee =- :-)

---

Request for Question Clarification by webadept-ga on 31 Dec 2002 10:09 PST

Hi, Lizardnation

Okay, this was locked all night by the filter program because you had
the word Google in there. You have a time limit factor, and I'm just
starting. If this isn't going to do you any good now, please let me
know as I work on this. Otherwise I'll continue to work until I have
some answers for you.

As I understand this : Priority #1 is in the area of costing examples
of projects of this scale in an implement and operate structure.

You want costing examples for both implementation and continued
operation. That's what I'm working on right now.

Thanks, 

webadept-ga

---

Clarification of Question by lizardnation-ga on 31 Dec 2002 10:25 PST

Hello Webadept,

Yes, it's still applicable and I'm in a hurry to get the financial
data specifically.  DARN!  I thought someone was doing research on
this issue and I stayed up all night checking and rechecking.

Life! :-)

Please proceed and keep me posted in fractions if possible in
Clarification Posts.

I'm online while you're doing it.

Also, when you have gone through the financial informaiton, do let me
know what words not to use in order not to get my questions locked
like this as this was very urgent and I'm a bit let down by the system
for locking it carelessly like this! :-(

I'll be waiting for your assistance with this and would appreciate a
quick flow of responses. :-)

/Lizardnation

---

Clarification of Question by lizardnation-ga on 31 Dec 2002 12:44 PST

-= Pacing back and fourth =- :-)

---

Clarification of Question by lizardnation-ga on 31 Dec 2002 17:38 PST

-= Peeking in =- &-)

---

Clarification of Question by lizardnation-ga on 31 Dec 2002 20:12 PST

I need to take action in two hours which depends on the financial
portion of the information I asked for marked as priority #1.  Can I
be helped out?

/lizardnation

---

Clarification of Question by lizardnation-ga on 31 Dec 2002 20:20 PST

I've opened a question to be able to receive comments on this question
there since this is not available for extended periods and I can use
some advice.

Check post #135832

Thank you.

/Lizardnation

Hi, 

This is quite a ride, and my brain hurts. There is so much hype and
off the wall stuff out there on this subject, and contradictory terms
that I had trouble following most of it. Most of the problems for cost
and implementation come from that fact that there are several
companies pushing and selling packages which exist already on the
server OS (linux, win2k, AIX, etc) or are free in open source
communities. Thus the greatest costs really are in the personnel hours
for setup times. However you can purchase systems already installed
and ready. I could not get prices on these turn key systems, all of
them, such as good ole' Aladdin
http://www.ealaddin.com/etoken/default.asp?cf=GooeToken
which has a little Buy Now button but only leads to a contact page
where they need to talk with you. Great! it's New Years eve and I
can't talk to them. I have a list of them I will call for you and get
some pricing from them.

Major companies are backing away from PKI software, mostly I believe
because of the OpenSource systems out there. There just isn't enough
of a market now to be worth the effort.

IBM Backing Away From PKI Software
http://www.eweek.com/article2/0,3959,42578,00.asp

PKI is failing, say Sun and Microsoft: ZDNet Australia: News & ... 
Microsoft and Sun seem to agree on one thing, and it all has to do
with a worldwide network of bodies authenticating digital signatures
and certificates.
http://www.zdnet.com.au/newstech/ebusiness/story/0,2000024981,20268957,00.htm


Most server OS's come with the properties you need to setup the PKI
servers. So your costs are in servers, bandwidth and personnel.

Configuration of the Microsoft Windows 2000 PKI
The PKI is contained in the program package of the W2K Advanced
server.
http://www.ema.org/G260/tech5.htm



X.509 Certificate Authentication Service and Public Key Infrastructure
http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/cas_pki.htm

Planning for Certificate Authentication Service
http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/cas_pki.htm#pki_cas_planning


X.509 Root Certificates
http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/cas_pki.htm


http://www.aspencrypt.com/task_issuecerts.html
Enterprise License 
Part#: ASPENCR-E
$1,199.00 Registration key can be installed on an unlimited number of
machines within an organization regardless of physical location,
nationally or internationally.
http://www.aspencrypt.com/download.html


http://www.cs.utk.edu/~browne/nhse-legal/node12.html


This is a complete system they say, but I have to contact them to get
pricing information

Spyrus Products and Solutions
http://www.spyrus.com/content/products/Terisa/TLS_Platinum.asp

Here's what the service provides and prices for each of the systems I
tried to look up in other areas and get a bid together for the
complete package.  "Free" means it is available, you just have to
install it and get it working. Most of these things don't really have
a purpose unless you can think of one that I can't with a PKI service.

Protocol Support 
SSL v2 and/or v3 

	OpenSSL http://www.openssl.org/
		Runs on Linux or Unix and is free
		Runs on Windows with compile and setup 

		


TLS v1.0 (optional)
	Again OpenSSL http://www.openssl.org/


Message Encoding Standards
ASN.1/BER/DER
http://msdlocal.ebi.ac.uk/docs/asn1/

http://www.asn1.org/who.htm

Adrenta Technologies
http://www.adrenta.com/buy.htm		
Our node-locked compiler is available at a cost of $1,995.

Atos Origin
http://www.marben-products.com/ASN.1/overview.html

Key Exchange
RSA

RSA encryption patent released
http://www.computerworld.com/securitytopics/security/story/0,10801,50546,00.html

Programmers Crack RSA Encryption Code
http://www.techweb.com/wire/news/1997/10/1025rsa.html

RSA Encryption
http://mathcircle.berkeley.edu/BMC3/rsa/node4.html

How to Implement RSA Encryption
http://www.disappearing-inc.com/ciphers/rsa.html

Libraries are free and come with the OS of your choice just about.
http://www.microsoft.com/presspass/press/1996/aug96/Rsapr.asp

there is http://www.rsasecurity.com/products/ which I can't get a
price out of on their webpage so I will call them after the first and
get some type of price.




Symmetric Encryption
DES, Triple DES,   Free
RC2, and RC4   Free

Digital Signature
RSA, DSA  Free

Message Digest 
MD5  In database, OS or Free
SHA-1 In OS or Free

SHA-1: The Secure Hash Algorithm (SHA) was developed by NIST and is
specified in the Secure Hash Standard (SHS, FIPS 180). SHA-1 is a
revision to this version and was published in 1994. It is also
described in the ANSI X9.30 (part 2) standard. SHA-1 produces a
160-bit (20 byte) message digest. Although slower than MD5, this
larger digest size makes it stronger against brute force attacks.

MD5: MD5 was developed by Professor Ronald L. Rivest in 1994. Its 128
bit (16 byte) message digest makes it a faster implementation than
SHA-1.

In both cases, the fingerprint (message digest) is also
non-reversible.... your data cannot be retrieved from the message
digest, yet as stated earlier, the digest uniquely identifies the
data.



Digital certificates ... If you bought the certs. Which brings up the
point of how high do you wish to go on this scale. Are you looking to
be a Root Cert supplier, or one step lower getting the Root Cert from
someone else already established and trusted with the browsers. See if
you aren't trusted with the browser then the client is going to pop up
the security dialog and say you aren't. To get there is a costly
thing, and I would have to do some digging to see where that is done
and how much that costs. There are several suppliers of this cert
already, thawte, verisign, and geotrust are just a few. Are you
looking to be one of these? from your description it didn't sound like
it, it sounds like one step lower.

VeriSign
http://www.verisign.com/
http://www.verisign.com/products/onsite/ssl/pricing.html   $6,950 -
$57,000


VeriSign Buys Thwate
http://www.internetnews.com/bus-news/article.php/266911

Thwate
http://www.thawte.com/  

http://www.freessl.com  



Background information that I'm using to go by as guide to create what
you are trying to create.

Issuing and managing digital certificates

What is a Certificate Authority (CA)?

A Certificate Authority, or CA, is fundamentally an organization whose
purpose exists to issue certificates, and subsequently to track these
certificates for their full life cycle and possibly beyond.  A CA is
normally run by, or on behalf of, a corporate body (public or private)
which is identified in the certificates as their issuer.

For the benefit of third parties who may wish to rely on the
certificates as credentials, the CA undertakes to adhere to documented
policies and procedures which describe in some detail how the
real-world identities of certificate holders are verified, what
security controls are applied to the CA's operations, what legal
liability the CA accepts for its actions, and so on.  These
undertakings are recorded in two documents, the Certificate Policy
(CP) and the Certification Practice Statement (CPS).

What are the obligations of a CA?

A CA is responsible for ensuring that each certificate it issues
complies with the X.509 standard and contains the requisite
information about the entity (server or individual) to which it
refers.  This information will often be supplied by a separate
Registration Authority or RA, having been subject to verification by
the RA, although a CA may in some cases carry out its own RA function.

Most importantly, a CA must take appropriate security measures to
safeguard its operations, particularly in relation to protecting
private keys – its own, and those of the entities whose certificates
it issues – from loss, theft or corruption.  If the security of a
user's or a server's private key is breached, the certificate becomes
effectively worthless.  The compromise of an issuer's private key is
an exceptionally serious matter, since an attacker who had gained
possession of the key could create bogus certificates under the
original issuer's name; this would typically cast potential doubt on
large numbers of currently-active certificates, the only remedy for
which is to revoke all such certificates and issue new ones signed by
a fresh signing key.

Maintenance activities for previously issued certificates include
publishing the public key certificate in any directory or other
repository which may be required by the scheme; responding to properly
authenticated requests for a certificate to be revoked (this may
happen if the user suspects a compromise of his/her private key, or if
the individual is no longer entitled to hold the certificate e.g. when
a student or member of staff has left the institution concerned); and
notification of any certificate revocations by the mechanisms
required.  The details of how these operations are carried out will
vary from situation to situation but will be defined in the CP and
CPS.

What is a Registration Authority (RA)?

The function of the RA is to verify, to the degree of certainty
required, the correctness of the information which is presented by
someone when requesting the issue of a certificate.  For an identity
certificate which will be issued to an individual, the normal
requirement is to check his or her real world identity.

The way this is done will depend on how secure the identification
needs to be.  For very lightweight applications, certificates are
sometimes issued on the basis that the individual supplies an email
address, and the verification process is confined to checking that the
email address does indeed exist and that email can be exchanged with
it: this process normally does not require the individual to attend in
person.  At the other extreme, where it is important for the
individual's real world identity to be known with considerable
confidence, the applicant may be required to attend the RA's premises
in person and to provide specified supporting documentation, including
at least one official photo ID such as a passport.

Once the RA has satisfied itself that the information supplied fulfils
the conditions set for the issue of a certificate, it passes the
certificate request on to the CA, taking any necessary security
precautions to ensure that the CA receives only genuine authenticated
requests.

How do I know what trust to place in someone else's certificate?

In a software sense, you check the signature on the certificate.  This
tells you the issuer, and also tells you that the certificate has not
been forged or otherwise tampered with (otherwise the signature
verification process would not succeed).  Assuming you have previously
set your software environment to trust certificates issued by this
particular authority, this is as far as the software takes you.



Costing for Implementation 

	SysAdmin/DBA Setup 		$10,833.00
		Based on 2 months at $65,000 per year
	Expectations of duties : Setup OS, Setup Network, Setup Encryption
and Certs

	Programmer /DBA			$12,500  
		Based on 3 months at $50,000 per year
	Expectations of duties : Setup interface and system with database for
customer interaction
                                              purchases and accounting


Servers High End 
  I have no idea from your description what your real needs are here,
so I'm picking one that I know will satisfy your needs. The costs of
this can come way down, but right now you said you needed budget
numbers.
 
	Chose to start at IBM servers. 
	$31,495.00 
http://www-132.ibm.com/content/home/store_IBMPublicUSA/en_US/eServer/pSeries/mid_range/6506M2_70386M2200M.html


Software. 
	Again I don't know what your preference is here for systems. You are
just about open to anything with you final goal, and it was faster to
look up both than wait for a CR to come back, even with you hovering
over there.

	Linux 		$150.00
	Win2k		$1199.00 http://www.microsoft.com/windows2000/server/howtobuy/pricing/default.asp


Encryption Software and Certs

This is a guess, for now, based on the purchase of pre made
applications for creating and serving certs and encryption codes.
		$6,500


Well, that's a good start. I'm going to follow up but as you can see
there's much to weed through and decide what is needed and what is
not, which you probably knew, and that's why I'm doing it and you
aren't :-)

I'm going to post this as an answer and let you go through it and CR
for needed extra information and clarification. Try to give me some
idea of what the OS preference is, amount of clients you believe you
want to start at and anything else you can add. This field is huge,
and the more I have an understanding the faster I can answer.

Various information: 

http://www.aspencrypt.com/task_certs.html

In PKI We Trust 
http://www.networkcomputing.com/1218/1218f3.html

	From Page too Licence Costs through 3 different services
	http://img.cmpnet.com/nc/1218/graphics/1218f3.gif

           From Page 3
           http://img.cmpnet.com/nc/1218/graphics/1218f3.pdf


Thanks, 

webadept-ga

---

Clarification of Answer by webadept-ga on 01 Jan 2003 02:22 PST

I've found the requirements for root certificate on Microsoft
explorer.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/msdn_misf.asp

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/news/rootcert.asp


If you aren't registered here as a CR, then a message pops up and most
of the time just confuses users as to what to do. The truth of the
matter is that all they have to do is accept your certificate (if your
server is setup right), but in a purchasing setup, where they are
about to put in their CC numbers, it generally results in a backout
and no sale. So it is better to be registered.

---

Clarification of Answer by webadept-ga on 01 Jan 2003 02:48 PST

The WebTrust site seems to be down. I'm looking into that now. Here is
some information on their costs however which I found in a cache.

How much does a Web Trust for CA examination cost ?

The cost of a WebTrust for CA examination is dependent upon many
factors including the following: (1) the design and scale of the CA,
(2) the degree of attention given to establishing CA policies,
procedures and practices consistent with industry practices, (3) the
extent of corrective measures needed to comply with the WebTrust for
CA Principles and Criteria, and (4) other factors such as technical
complexity. The cost of such examinations may range from $75,000 to
$250,000 for an initial examination. Update examinations are expected
to cost less, but will reflect the effort required to perform the
appropriate testing procedures.

Benefits of the WebTrust for CAs Program

Through the WebTrust for CAs process, your company will:

Achieve compliance with Microsoft's requirement for a third-party
audit of companies that are applying to place their CA root key in
Microsoft's browser

Differentiate your company from other competing CAs who have not
achieved the WebTrust for Certification Authorities status

Ensure company management, boards of directors, regulators and
business partners that the security and integrity of your CA service
meets industry-recognized standards

Global Key Contacts

To ensure a prompt response, please contact one of the following
firms:

Arthur Andersen, LLP

Mr. Jim Reeves 
Seattle, Washington 
Phone: 00 1 206-398-7259 
Mobile: 00 1 206-669-2838 
james.f.reeves@us.arthurandersen.com

Deloitte & Touche, LLP

Mr. Bruce Barrick 
Toronto, Ontario (Canada) 
Phone: 00 1 416-601-5656 
bbarrick@deloitte.ca

Ernst & Young, LLP

Mr. Jerry Devault 
Chicago Illinois 
Phone: 00 1 216-861-2214 
jerry.devault@ey.com

Grant Thornton, LLP

Mr. Don Sheehy 
Toronto, Ontario 
Phone: 01 416-360-4964 
dsheehy@grantthornton.ca

KPMG, LLP

Mr. Alfred Van Ranst 
Boston, Massachusetts 
Phone: 00 1 617-988-1054 
avanranst@kpmg.com

PricewaterhouseCoopers, LLP

Mr. Joseph Griffin 
Atlanta, Georgia 
Phone: 00 1 404-870-1480 
joseph.g.griffin@us.pwcglobal.com

For additional contacts or questions, contact:

American Institute of Certified Public Accountants

Mr. Ron Halse 
New Jersey 
Phone: 00 1 201-938-3788 
rhalse@aicpa.org

Canadian Institute of Chartered Accountants

Mr. Bryan Walker 
Toronto, Ontario (Canada) 
Phone: 00 1 416-204-3278 
bryan.walker@cica.ca


---

I'm not sure if this is the same site or not, something tells me that
it is not, but I'll make some calls on Friday and find out for sure.
There's not much I can do in the way of phone calls until then.

http://www.webtrust.net/index.shtml

webadept-ga

---

Clarification of Answer by webadept-ga on 01 Jan 2003 03:04 PST

Not getting very far with this WebTrust thing, all their sites are
down which has a bit of ironic hummor to it. I am more interested in
getting you a full audit requirement set, so you have a clear idea of
what is expected. I did find a WebTrust list of expectations in the
Google Cache.

://www.google.com/search?q=cache:lu0RHj9v6yMC:www.aicpa.org/webtrust/wtpcbassur.htm+webtrust++Verisign&hl=en&ie=UTF-8


I'm going to stop tonight now and work on this in the morning to find
a clear set of audit goals and some more implementation examples, now
that the basics are covered here.

thanks, 

webadept-ga

---

Request for Answer Clarification by lizardnation-ga on 01 Jan 2003 12:03 PST

Hello Webadept,

Your first response got me out of the dark quite well and I had enough
to get me rolling.. the following bits were very informative and
important.  I know you're expecting a clarification which I'll try and
get to you in the next few hours.

You're doing great! :-)

---

Clarification of Answer by webadept-ga on 01 Jan 2003 22:14 PST

Okay, as soon as you can. I spent the day reading and looking through
manuals. Quite an interesting subject. As soon as you can scale this
project for me, as to whether you are going for a Purchase Root Cert
or a top of the heap Root Cert I can get the rest of this information
to you.

Thanks, 

webadept-ga

---

Request for Answer Clarification by lizardnation-ga on 09 Jan 2003 14:10 PST

Hello Webadept,

My account was sidelined for a few days... Had gone through a song and
dance with the support here till it was released. :-)

My deadline for this project moved till the 20th of the month and my
account got activated an hour ago.  This was one heck of a wait.

I sure wanted to post the clarifications and get you responded to
after you've crunched this down so rapidly, but I couldn't do a thing
except watch.

Oh well,  all is not lost. :-)

/Lizardnation

---

Clarification of Answer by webadept-ga on 09 Jan 2003 16:16 PST

Good to see you back. Look forward to your CR and I'll get started on
this again. I was a little confused, but figured your life was like
mine and had to skip out for a while. No worries.

webadept-ga

---

Request for Answer Clarification by lizardnation-ga on 16 Jan 2003 14:57 PST

Hello Webadept,

Thought you were also going to contact certain points you referenced
in your reply as well as work on the audit requirement set.

And as to your question where does this fit in the PKI food chain,
right at the top. :-)  This setup issues it to the rest of its domain
in a country context.

We're back on this again, hopefully you're available. :-)

Do you have specific questions for me?

I'm more interested in the internal assurance process.  Processes,
methods and standards.

As I've discovered from your response, it seems like a pretty easy job
when it comes to the software and its cost, but then what is an issue
is the procedures and business logic that puts all of this together.

I can't wait to hear about what you may have to say about this as well
as some results from what you had expressed as your intention to get
information from contacting the mentioned destinations after the
holidays.

/Lizardnation

---

Clarification of Answer by webadept-ga on 17 Jan 2003 12:43 PST

Looks like these sites are up and running again. 


http://www.webtrust.org/certauth.htm

http://www.webtrust.org/certauth/contents.htm

I've made copies of the pages and downloaded the PDF file, so if you
have any problems getting to those sites, let me know and I'll post
the copies on my server so you can get at them.

Here are two paragraphs which are directly pertinent:

How long does a WebTrust for CAs examination require?

The initial assessment phase of a WebTrust for CAs engagement requires
4 to 6 weeks. The time period for implementation of recommended
improvements to disclosures and operating practices is specific entity
dependent. The testing phase of an examination engagement must cover a
minimum period of two months. Assuming that a minimum of remediation
is required to address gaps, the entire process requires approximately
four months of elapsed time. Updates of WebTrust for CA examinations
must be performed within at most six months after the first
certification and then at least annually, or more frequently as
conditions dictate (such as a change in the way the principles and
criteria are achieved).

How much does a Web Trust for CA examination cost ?

The cost of a WebTrust for CA examination is dependent upon many
factors including the following: (1) the design and scale of the CA,
(2) the degree of attention given to establishing CA policies,
procedures and practices consistent with industry practices, (3) the
extent of corrective measures needed to comply with the WebTrust for
CA Principles and Criteria, and (4) other factors such as technical
complexity. The cost of such examinations may range from $75,000 to
$250,000 for an initial examination. Update examinations are expected
to cost less, but will reflect the effort required to perform the
appropriate testing procedures.

---

Request for Answer Clarification by lizardnation-ga on 17 Jan 2003 13:25 PST

Needs to areas of particular interest:

1. The workflows and securing of the process of creating and
activation/deactivation of certificates.

2. The administration and staffing requirements for a comfortable
setup with high demand in mind.

>:-)

/Lizardnation

---

Clarification of Answer by webadept-ga on 17 Jan 2003 14:01 PST

Okay, I'll get started on that. 

thanks,

Excelent work! :-)

lizardnation...

This was the offending phrase:
"The amount for this question is the max google will allow".

Anything with 'Google' in it will trigger their bot, allowing 
them to see of it's a question they'd prefer to respond to
directly, vs through a researcher.

Helllo Sublime1,

Thank you for clarifying that.

I'll keep their name out of my questions from now on. :-)

/Lizardnation