MPKI Solutions

Authentication, integrity and confidentiality of transactions and communications are critical issues, whether they occur on the Internet, Extranet or Intranet. The security infrastructure of an organization is the basis of trust in the network and is the key to ensure the authentication, privacy and non-repudiation of transactions. Ensure that communications are secure and that customers, employees, business partners and consumers can communicate online with total confidence, has become essential for organizations in the globalized world of today.

Symantec SSL - Managed PKI Solution (OnSite)

The basis of this Managed PKI solution (OnSite) is its technology. This is a comprehensive platform, robust and enterprise level, that offers to the organization complete control of their security, trust, policy and architecture, taking advantage of all the know-how and infrastructure of MarketWare / Symantec SSL services.

The OnSite solution provides all the services of managing the lifecycle of certificates, application support and tools management necessary to operate a robust CA enterprise to a small fraction of the cost and effort associated to the solutions "DIY", while providing customer a complete control over the features of the Registration Authority (RA).

In this solution, the client appoints one (or several) Administrator of the OnSite service (RA Admin), to whom is assigned a digital certificate to access the Control Center. The Administrator has total and exclusive control over the entire life cycle of certificates and is entitled to reject, issue, revoke and renew all the digital certificates. OnSite solution lets you quickly, easily and at low cost set up a Certification Authority public or private, with his own brand.

The OnSite solution provides all the services of managing of the lifecycle of certificates, application support and management tools necessary to operate a robust enterprise CA to a small fraction of the cost and effort associated with the solutions "DIY", while providing to the customer a complete control over the features of the Registration Authority (RA).

Hierarchy: The first step of implementing a CA is the generation of a key-signing root. The protection of the key root is a critical component to ensure the confidence of the entire CA. MarketWare / Symantec SSL provides a secure and audited generation of the root key, which is recorded on tape and submitted to the notary avoiding the repudiation of support.

A public hierarchy consists on a public CA, so, the hierarchy is inherited from Symantec SSL. The Symantec SSL Public CA signs the key root of the CA costumer, being the responsible for signing all the potential sub-CAs. In all the certificates, the organization name is listed in the client CA.

The customer has the possibility to hold the keys of additional sub-CAs. All sub-CAs are directly linked to the root CA of the client. Each one of sub-CAs is independently managed by the customer and operates according to standards set for the root CA.

This type of hierarchy is recommended if the certificates are used in the internal and external system of the client. The advantage of this model is that all certificates have the ability to connect to Symantec SSL hierarchy and therefore take advantage of the interconnection of their root keys. The distribution of the root CA key is guaranteed, since the keys are part of Symantec SSL browsers, servers and e-mail clients currently used. For example, if a user sends a signed e-mail message to another user who has a certificate issued by an organization within the hierarchy of public MarketWare / Symantec SSL, this signature will automatically be recognized as reliable, due to be directly connected to a foreign entity generally referred as reliable (the Symantec SSL).

PKI Architecture: After the creation of the hierarchy, each sub-CA is able to issue and distribute digital certificates from the PKI business. The OnSite solution was designed to easily support the issuance of millions of certificates. The award of these certificates to various sub-CAs is entirely optional, although it is possible for the differentiation of certain departments or projects.

Functionality: The following diagram shows the architecture of the MarketWare / Symantec SSL OnSite solution. The items on the left represent the users, hardware and the client applications. The right side of this diagram summarizes the existing items in the Data Center of MarketWare / Symantec SSL.

Subscription of the certificates: The user makes a connection to the subscription manager, which is a web server managed by CA and uses the CA components of OnSite MarketWare / Symantec SSL to sign a certificate. Subscription applications may be approved manually by employees of the organization with responsibility for operation of the RA, or automatically through the confrontation between provided data and data in a database managed by the organization (AutoAdmin).

The approved applications are then sent (via secure connections) to Symantec SSL, where appropriate CA creates a digital certificate X.509 v3 and sign the application. The certificate is electronically delivered to the organization via a secure transmission. The same certificate can be written in an LDAP directory service and then delivered to the customer.

End users can use the browsers from Microsoft, Netscape, or others, to make their request. Employees with administrative responsibilities may be located anywhere, allowing to the organization a distribution of administrative tasks to remote locations.

Fault tolerance and Disaster Recovery

The Data Center of MarketWare / Symantec SSL ensures a great availability, ie, multiple ISPs, multiple POPs, UPS and the diesel generators. In case of natural disasters, Symantec SSL has in the East Coast U.S.A. another Data Center with the ability to resume the service within 24 hours. Even more important is that they conducted quarterly simulations of disaster recovery.
The OnSite technology is web-based, providing support to a large number of operating systems (NT, Win 2K, Solaris, and HP-UX).

Low cost

The total cost to implement and maintain a PKI solution using the OnSite is usually significantly smaller than a PKI fully developed and operated in-house. This reduction in total cost is due to the lack of need for maintenance and distribution of the software, creation of high security installations, compatibility with popular business applications and creation of a disaster recovery. All these features are included in the OnSite solution.