Christopher McLaughlin (2008) Proposed Model for Outsourcing PKI.
Full text access: Open
PKI is often referred to as a pervasive substrate. This terminology is used to describe the technological layer that permeates the entirety of the organisation on which PKI services are established. From the mid 1970s when Whitfield Diffie and Martin Hellman published their paper New Directions in Cryptography the concept of Public Key Cryptography, for the first time, allowed two entities with no previous relationship to communicate secure information over unsecured channels. PKI provides the infrastructure that allows Public Key Cryptography to function within a hierarchical structure, providing between two entities, an acceptable level of trust. Outsourcing is the process of acquiring sources or services from an external source. With the modular structure of today's organisations it can also mean that goods and services can be procured from one segment of the organisation to another through inhouse service-supplier agreements. Outsourcing has evolved from the days of heavy industry and manufacturing in the 1960s to the total solution management of today. This dissertation brings together the concepts of both PKI and Outsourcing. It details our AB-5C Model for organisations to outsource a PKI system within the scope of the businesses strategic goals and objectives. Our proposed model takes into account the need to use existing models, procedures and practices in support of an outsourced PKI Model. These include a process or processes to ensure that any outsourced solution adds value to the organisation, and that there is a business strategy that allows the alignment of the outsourcing strategy to the organisations strategic plan.
This is a Published version This version's date is: 15/01/2008 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/22657677-bda0-2161-14fc-f91d0ccba408/1/
Deposited by () on 24-Jun-2010 in Royal Holloway Research Online.Last modified on 15-Dec-2010
[1] M. Loney. Baltimore’s death spells gloom for PKI. ZDNet UK. 2003. Foundat. http://news.zdnet.co.uk/security/0,1000000189,39118180,00.htm
[2] EEMA UK Regional Interest Group meeting 2007: The management andapplication of PKI in corporate environments. Found athttp://www.eema.org/index.cfm?fuseaction=events.content&cmid=337
[3] S. Bijnens. Why PKI is getting a second chance. Leuven Security ExcellenceConsortium. IT Security Congress. Found at. http://www.l-sec.be/calit.htm
[4] B. Schneir & C. Ellison. Computer Security Journal, v 16, n 1, 2000, pp. 1-7Ten Risks of PKI: What you’re not being told about Public Key Infrastructure.Found at. http://www.schneier.com/paper-pki.html
[5] OUT-LAW News. B2B e-commerce to reach $8.5 trillion in 2005. Found at.http://www.out-law.com/page-1470
[6] D. Bradbury 2004: ID fraud preys on technology’s immaturity. Found athttp://www.vnunet.com/computing/features/2072364/id-fraud-preystechnology-immaturity
[7] J. Fenn & A. Linden 2005: Gartner's Hype Cycle Special Report for 2005.Found at http://www.gartner.com/DisplayDocument?doc_cd=130115
[8] Whittfield Diffie & Martie E. Hellman, 1976: New Directions inCryptography. Found at http://crypto.csail.mit.edu/classes/6.857/papers/diffiehellman.pdf
[9] Understanding Hype Cycles. Found athttp://www.gartner.com/pages/story.php.id.8795.s.8.jsp
[10] Public key Cryptography (PKC) History. Found athttp://www.livinginternet.com/i/is_crypt_pkc_inv.htm
[11] D. R Khun, V. C. Hu, W.T Polk & S Chang: NIST SP800-32 – Introduction toPublic Key Technology and Federal PKI Infrastructure. 2001. (p. 9). Found athttp://csrc.nist.gov/pki/publickey.html
[12] Federal Information Processing Standards Publication 180-2 - Secure HashStandard. 2002. Found at http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
[13] Whittfield Diffie & Martie E. Hellman, 1976: New Directions inCryptography. Found at http://crypto.csail.mit.edu/classes/6.857/papers/diffiehellman.pdf
[14] A. J. Menezes, P.C. Van Oorschot & S. A. Vanstone. Handbook of AppliedCryptography. CRC: CRC Press LLC. 1997 (p. 285-286)
[15] A. J. Menezes, P.C. Van Oorschot & S. A. Vanstone. Handbook of AppliedCryptography. CRC: CRC Press LLC. 1997 (p. 89)
[16] Loren M. Kohnfelder: Bachelor of Science Thesis at MIT entitled “Towards aPractical Key Cryptosystem: 1978. Found athttp://theory.csail.mit.edu/~cis/theses/kohnfelder-bs.pdf
[17] Loren M. Kohnfelder: Bachelor of Science Thesis at MIT entitled “Towards aPractical Key Cryptosystem: 1978. Found athttp://theory.csail.mit.edu/~cis/theses/kohnfelder-bs.pdf
[18] What is X.509? Found at http://www.tech-faq.com/x.509.shtml
[19] R. Housley, W. Ford, W. Polk & D. Solo. RFC 3280: Internet X.509 PublicKey Infrastructure Certificate and CRL Profile. 1999. Found athttp://www.ietf.org/rfc/rfc2459.txt
[20] R. Housley, W. Ford, W. Polk & D. Solo. RFC 2459: Internet X.509 PublicKey Infrastructure Certificate and CRL Profile. 1999. Found athttp://www.ietf.org/rfc/rfc2459.txt
[21] A. Dent & C. J. Mitchell. Users Guide to Cryptography and Standards. ArtechHouse. 2004. (p. 268)
[22] C. Adams & S. Lloyd. Understanding PKI (Concepts, Standards andDeployment Considerations, Second Edition. Addison-Wesley. 2005. (p. 133)
[23] M. E. Whitman & H. J. Mattord. Principles of Information Security. SecondEdition. Thomson Course Technology. 2005. (p. 369)
[24] PKI Model, Hong Kong University of Science and Technology. 2004. Foundat http://www.ust.hk/itsc/pki/model/index.html
[25] R. Housley, W. Ford, W. Polk & D. Solo. RFC 3280: Internet X.509 PublicKey Infrastructure Certificate and CRL Profile. 1999. Found athttp://www.ietf.org/rfc/rfc2459.txt
[26] R. Housley & T. Polk. Planning for PKI, Best Practices Guide for DeployingPublic Key Infrastructure. Wiley Computer Publishing. John Wiley & SonsInc. 2001 (p. 126)
[27] C. Adams & S. Lloyd. Understanding PKI (Concepts, Standards andDeployment Considerations, Second Edition. Addison-Wesley. 2005. (p. 162)
[28] S. Boeyen, T. Howes & P. Richard. IETF RFC 2587: Internet X.509 PublicKey Infrastructure LDAPv2 Schema. 1999. Found athttp://www.ietf.org/rfc/rfc2587.txt
[29] R. Housley, W. Ford, W. Polk & D. Solo. RFC 2459: Internet X.509 PublicKey Infrastructure Certificate and CRL Profile. 1999. Found athttp://www.ietf.org/rfc/rfc2459.txt
[30] A. J. Menezes, P.C. Van Oorschot & S. A. Vanstone. Handbook of AppliedCryptography. CRC: CRC Press LLC. 1997 (p. 386)
[31] A. Dent & C. J. Mitchell. Users Guide to Cryptography and Standards. ArtechHouse. 2004. (p. 23)
[32] A. J. Menezes, P.C. Van Oorschot & S. A. Vanstone. Handbook of AppliedCryptography. CRC: CRC Press LLC. 1997 (p. 361)
[33] A. J. Menezes, P.C. Van Oorschot & S. A. Vanstone. Handbook of AppliedCryptography. CRC: CRC Press LLC. 1997 (p. 4)
[34] E. Rescorla. SSL and TLS, Designing and Building Secure Systems. Addison-Wesley. 2005. (p. 44)
[35] T. Dierks & C. Allen. RFC 2246. The TLS Protocol, Version 1.0. 1999. Foundat http://www.faqs.org/rfcs/rfc2246.html
[36] E. Rescorla. SSL and TLS, Designing and Building Secure Systems. Addison-Wesley. 2005. (p. 305)
[37] C. Ramsdell (ed.). RFC 2633. S/MIME Version 3 Message Specification.1999. Found at http://www.ietf.org/rfc/rfc2633.txt
[38] S. Bradner. RFC 2119: Key words for use in RFC’s to indicate requirementlevels. 1999. Found at http://www.ietf.org/rfc/rfc2119.txt
[39] S. Kent & R. Atkinson. RFC 2401: Security Architecture for the InternetProtocol. 1998. Found at http://tools.ietf.org/html/rfc2401
[40] J. Reavis. Is VPN the killer application for PKI. Network World on Security.1999. Found at http://www.networkworld.com/newsletters/sec/0920sec2.html
[41] G. Ou. Wireless LAN Security Guide. 2005. Found athttp://www.lanarchitect.net/Articles/Wireless/SecurityRating/
[42] Certicom. Complete WAP Security. 2000.Found atwww.comms.scitech.susx.ac.uk/fft/networking/WAPsec.pdf
[43] C. Adams, P Cain, D Pinka & R. Zuccherato. RFC 3161: Internet X.509Public Key Infrastructure Time-Stamp Protocol (TSP). 2001. Found athttp://www.ietf.org/rfc/rfc3161.txt
[44] R. Shirey. RFC 2828: Internet Security Glossary. 2000. Found athttp://www.faqs.org/rfcs/rfc2828.html
[45] C. R. Merill, McCartner & English. What PKI Does, The Killer Apps. 2000.Found at http://www.pkilaw.com/nonrepud_2.htm
[46] ISO/IEC 17799:2005. Information technology Security techniques: Code ofpractice for information security management. 2005.
[47] S. Chokhani & W. Ford. RFC 2527: Internet X.509 Public Key Infrastructure– Certificate Policy and Certification Practices Framework. 1999. Found athttp://www.faqs.org/rfcs/rfc2527.html
[48] R. Housley, W. Ford, W. Polk & D. Solo. RFC 3280: Internet X.509 PublicKey Infrastructure Certificate and CRL Profile. 1999. Found athttp://www.ietf.org/rfc/rfc2459.txt
[49] S. Chokhani & W. Ford. RFC 2527: Internet X.509 Public Key Infrastructure– Certificate Policy and Certification Practices Framework. 1999. Found athttp://www.faqs.org/rfcs/rfc2527.html
[50] S. Chokhani & W. Ford. RFC 2527: Internet X.509 Public Key Infrastructure– Certificate Policy and Certification Practices Framework. 1999. Found athttp://www.faqs.org/rfcs/rfc2527.html
[51] R. Housley, W. Ford, W. Polk & D. Solo. RFC 2459: Internet X.509 PublicKey Infrastructure – Certificate and CRL Profile. 1999. Found athttp://www.faqs.org/rfcs/rfc2459.html
[52] M. Myers, R. Ankney, A. Malpani, S. Galperin & C. Adams. RFC 2560:X.509 Internet Public Key Infrastructure – Online Certificate Status Protocol(OCSP). 1999. Found at http://www.faqs.org/rfcs/rfc2560.html
[53] S. Chokhani & W.Ford: RFC 2527 – Internet X.509 Public Key Infrastructure:Certificate Policy and Certification Practices Framework. 1999. Found athttp://www.ietf.org/rfc/rfc2527.txt
[54] S. Kent. RFC 1422: Privacy Enhancement for Internet Electronic Mail: Part II:Certificate Based Key Management. 1993. Found athttp://www.faqs.org/rfcs/rfc1422.html
[55] R. Housley, W. Ford, W. Polk & D. Solo. RFC 3280: Internet X.509 PublicKey Infrastructure Certificate and CRL Profile. 1999. Found athttp://www.ietf.org/rfc/rfc2459.txt
[56] ISO/IEC 14516:2002. Information technology -- Security techniques --Guidelines for the use and management of Trusted Third Party services
[57] ISO/IEC 17799:2005. Information technology Security techniques: Code ofpractice for information security management. 2005.
[58] About tScheme. 2005. Found at http://www.tscheme.org/about/index.html
[59] Electronic Communications Act 2000. Found athttp://www.opsi.gov.uk/Acts/acts2000/20000007.htm#1
[60] Directive 1999/93/EC of the European Parliament and of the Council of 13December 1999 on a Community framework for electronic signatures. Foundat.http://eurlex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&numdoc=31999L0093&model=guichett&lg=en
[61] Merriam-Webster Dictionary. Found athttp://mw1.merriamwebster.com/dictionary/outsourcing
[62] Dr. R. Handfield. Current Trends in Production Labour Sourcing. SupplyChain Resource Co-operative. 2006. Found athttp://scm.ncsu.edu/public/facts/facs060531.html
[63] K. Tinselboer. University of Twente. The present and future of outsourcing:theory meets practice. Found at.http://referaat.ewi.utwente.nl/documents/2005_03_DINFORMATION_SYSTEMS_MANAGEMENT/2005_03_D_Tinselboer,K.J.-The_present_and_future_of_outsourcing_theory_meets_practice.pdf
[64] Manchester University. School of Environmental Management. Making theconnections: Global Production Networks in Europe and East Asia. Found athttp://www.sed.manchester.ac.uk/geography/research/gpn/
[65] Logicaster. E-business and Outsourcing: How This Happened and GrowthPeriod. Found at http://www.logicaster.com/growth_period.html
[66] M. Burke. Europe sees a 78% increase in new outsourcing deals. Found at.http://www.cio.co.uk/concern/budgets/news/index.cfm?articleid=1651
[67] Quoquam Technologies Inc. Outsourcing: A Business Perspective. (p. 4)Found at www.quoquam.com/onsite.pdf
[68] M. F. Greaver II. Strategic Outsourcing: A structured Approach toOutsourcing Decisions and Initiatives. AMACOM. 1998. (p. 4-5)
[68] Business Systems Group. Managed Services Breakfast Briefing – transformyour IT department into a strategic asset. Found athttp://www.bsg.co.uk/newsevents/events/managed_services_briefings/default.aspx
[69] J. Allen, D.Gabbard, C. May. Outsourcing Managed Security Services.Software Engineering Institute. 2003. Found at.http://www.sei.cmu.edu/publications/documents/sims/sim012.html
[70] ISO/IEC 27001: Information Technology – Security Techniques – InformationSecurity Management Systems – Requirements.
[71] Verisign. 10 Reasons to Outsource MSS. Found at.http://www.verisign.co.uk/managed-security-services/enterprise-securityinfo/why-security-consulting/index.html
[72] F. Seindeldin. Openware. Managed Security Services - A New Trend. 2007.Found at.http://www.openware.biz/news.cgi?accion=imprimir&agrp=A&skin=Casos_en&id=194
[73] ISO/IEC 21827: Information Technology – System Security Engineering –Capability Model.
[74] ISO/IEC 21827: Information Technology – System Security Engineering –Capability Model.
[75] ISO/IEC 27001: Information Technology – Security Techniques – InformationSecurity Management System – Requirements.
[76] ISO/IEC 27001: Information Technology – Security Techniques – InformationSecurity Management System – Requirements.
[77] J. Linn & M. Branchaud. An Examination of Asserted PKI Issues and ProposedAlternatives. 2004. Found at.http://middleware.internet2.edu/pki04/proceedings/issues_alternatives.pdf
[78] ISO/IEC 15408. Information Technology – Security Techniques – Evaluationfor IT Security
[79] ITSEC. Found at.http://www.iwar.org.uk/comsec/resources/standards/itsec.htm
[80] US Federal Criteria. Found at. http://csrc.nist.gov/nistgen/fcscope.txt
[81] ISO/IEC 15408. Information Technology – Security Techniques – Evaluationfor IT Security – Part 3 – Assurance Requirements.
[82] A. Calder & S. Watkins. IT Governance: A Managers Guide to Data Securityand BS7799 / ISO17799.3rd Ed. Kogan Page. 2005. (p. 3)
[83] M. F. Geaver II. Strategic Outsourcing: A structured Approach to OutsourcingDecisions and Initiatives. AMACOM. 1998. (p. 269)
[84] K. J. Higgins. Outsourcing PKI is an Option to Building One. InformationWeek. Found at. http://www.informationweek.com/811/pki.htm
[85] Globalsign. Enterprise Solutions. Found at.http://uk.globalsign.com/pki/corporatera.htm
[86] B. Tesler. Outsourcing IT Development: Advantages and Disadvantages.Found at www.webspacestation.com
[87] The DST View of PKI. Discussion of the outsourcing of PKI to DigitalSignature Trust Co. Found at.http://connect.educause.edu/library/abstract/TheDSTviewofPKI/42839
[88] S. Wilson. Rethinking PKI. SC Magazine. 2003. Found at.http://www.scmagazine.com/asia/news/article/419737/rethinking-pki/
[89] Australian Government, NEAC, Legal Liability in E-Transactions. 2000.Found at. www.claytonutz.com/downloads/tip0008_7.pdf
[90] S. Wilson. A Vulnerability Assessment of Roaming Soft Certificate PKISolutions. 2002. Found at.www.sans.org/reading_room/whitepapers/vpns/763.php
[91] L. Cohen & A. Young. Multisourcing: Moving beyond Outsourcing toAchieve Growth and Agility. Harvard Business School Press. 2006. (p. 1)
[92] Gartner. Stop Outsourcing, Start Multi-sourcing. 2005. Found atwww.out-law.com
[93] SABSA Overview. Found atwww.sabsa-institute.org/the-sabsa-method/sabsa-overview.aspx
[94] The Seven S’s: Framework for Analyzing and Improving Organisations.Found athttp://www.1000ventures.com/business_guide/mgmt_inex_7s.html
[95] Continuity Management. ITIL & ITSM World. Found athttp://www.itil-itsm-world.com/itil-8.htm
[96] PA Consulting. Sourcing Interest Groups New York Regional Meeting. 2005.Found athttp://sourcinginterests.org/regional%20presentations/2005newyork/delivering%change%20%through%20%sourcing%20%by%20pa%20consulting%20-%20ny%20v2.pdf
[97] G. A. Steiner. Strategic Planning – What Every Manager Must Know. FreePress Paperbacks. Simon & Schuster. 1997. (p. 13-15)
[98] The Zachman Framework. Found at www.zifa.com
[99] SABSA Overview. Found atwww.sabsa-institute.org/the-sabsa-method/sabsa-overview.aspx
[100] J. Sherwood, A. Clark & D. Lynas. Enterprise Security Architecture: ABusiness Driven Approach. CMP Books. 2005. (p. 34)
[101] J. Sherwood, A. Clark & D. Lynas. Enterprise Security Architecture: ABusiness Driven Approach. CMP Books. 2005. (p. 41)
[102] J. Sherwood, A. Clark & D. Lynas. Enterprise Security Architecture: ABusiness Driven Approach. CMP Books. 2005. (p. 38)
[103] J. Sherwood, A. Clark & D. Lynas. Enterprise Security Architecture: ABusiness Driven Approach. CMP Books. 2005. (p. 38-39)
[104] ISO/IEC 27001: Information Technology – Security Techniques – InformationSecurity Management Systems – Requirements.
[105] C. Adams & S. Lloyd. Understanding PKI (Concepts, Standards andDeployment Considerations, Second Edition. Addison-Wesley. 2005. (p. 37-43)
[106] J. Conroy-McNelley. Multi-Factor Authentication: The Next GenerationSolution. Found at.http://www.bankersonline.com/vendor_guru/pps/pps_multi.html
[107] P. Hoffman. RFC 2634. Enhanced Security Services for S/MIME. 1999.Found at. http://www.ietf.org/rfc/rfc2634.txt
[108] Application Level Proxies. Found at.http://winwww.rutgers.edu/~pravin/presentations/splice-talk/Splice-Talkl4.htm
[109] Identity Management, Verisign, Found athttp://www.verisign.com.au/idmanagement/
[110] The Seven S’s: Framework for Analyzing and Improving Organisations.Found athttp://www.1000ventures.com/business_guide/mgmt_inex_7s.html
[111] The Seven S’s: Framework for Analyzing and Improving Organisations.Found athttp://www.1000ventures.com/business_guide/mgmt_inex_7s.html
[112] Strategy – What is Strategy? Found athttp://www.tutor2u.net/business/strategy/what_is_strategy.htm
[113] S. Silbiger. The 10-Day MBA: A Step by Step Guide to Mastering the SkillsTaught in the Top Business Schools. Piatkus. 2006. (p. 326-329)
[114] The Seven S Model: A Managerial Tool for Analyzing and ImprovingOrganisations. Found at.http://www.1000ventures.com/business_guide/mgmt_inex_7s.html
[115] Continuity Management. ITIL & ITSM World. Found athttp://www.itil-itsm-world.com/itil-8.htm
[116] Continuity Management. ITIL & ITSM World. Found athttp://www.itil-itsm-world.com/itil-8.htm
[117] Open Guide. IT Service Continuity Management: Continuity Management /Disaster Recovery / Business Continuity. Found athttp://www.itlibrary.org/index.php?page=IT_Service_Continuity Management
[118] PA Consulting. Sourcing Interest Groups New York Regional Meeting. 2005.Found athttp://sourcinginterests.org/regional%20presentations/2005newyork/delivering%change%20%through%20%sourcing%20%by%20pa%20consulting%20-%20ny%20v2.pdf
[119] PA Consulting. Sourcing Interest Groups New York Regional Meeting. 2005.Found athttp://sourcinginterests.org/regional%20presentations/2005newyork/delivering%change%20%through%20%sourcing%20%by%20pa%20consulting%20-%20ny%20v2.pdf
[120] ISO/IEC 17799:2005. Information technology - Security technique - Code ofpractice for information security management
[121] ISO/IEC 14516:2002. Information technology - Security techniques.Guidelines for the use and management of trusted third party services