Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

Chapter 22. Deployment Issues and Decisi... > On-Line Versus Off-Line Operation - Pg. 179

Deployment Issues and Decisions 179 Interoperability Considerations A number of interoperability issues go beyond the standards themselves. As discussed in Chapter 18, "Standards: Necessary but Not Sufficient," vendors can legitimately claim standards compliance, but multi-vendor interoperability still might not be possible for a variety of reasons. Understanding these reasons, and ensuring that the vendor community cooperates to provide acceptable and in- teroperable solutions, is essential. Certificate and CRL Profiles Even when standards-based techniques are adopted, it is still possible to dictate implementation specifics that can vary from one domain to another. This is the case with the X.509 certificates and CRLs. Specifically, different certificate and CRL profiles (which are discussed in Chapter 18) are being defined to meet a variety of needs. As a deployment consideration, it is important to select technology vendors that offer flexible certificate and CRL generation so that meeting the require- ments associated with multiple certificate and CRL profiles is easy to do. Multiple Industry Accepted Standards It is not sufficient to simply adopt a technology that is "standards based," especially when multiple standards and protocols are available. For example, end-entity certificates can be initialized through different mechanisms, cross-certification can be facilitated in both on-line and off-line operations, and revocation information can be disseminated in a variety of ways. It is important to make sure that the technology meets the needs of the organization from a requirement perspective. The more flexible a vendor product is, the more likely it is that the vendor will be able to meet the needs of the organization (both now and in the future). Thus, vendors should offer multiple solutions based on standards and practices that are in widespread use throughout the industry. PKI-Enabled Applications For a given application to consume the services of a PKI, it must be PKI enabled . This enables the application to invoke the necessary security services and key/certificate life cycle management functions. Technology vendors should offer standard PKI-enabled applications (for example, secure e-mail via S/MIME) as well as generic toolkits to use to easily integrate other applications into the PKI as necessary. Policy Issues As Chapter 6 discussed, certificate policies must also be addressed to facilitate inter-domain inter- operability. Specifically, formal agreements need to be established between enterprise domains that want to communicate under one or more inter-domain policies. From a technology perspective, a PKI should be capable of supporting these policies both on cer- tificate generation and on client-side processing. Chapter 6 provides descriptions of the certificate extensions that can be used to support certificate policy enforcement. On-Line Versus Off-Line Operation On-line operation is the situation in which the end-entities are directly connected to the network. Typically, the end-entities are capable of consuming all PKI-related services. Off-line operation en- ables end-entities to consume at least a subset of the PKI services even though they are not directly connected to the network.