You know that you want to bring PKI into your organization. You’ve got approval from the leadership team, and you’re starting to work out your budget and requirements. An early question to answer: what trust model do you go with? Public trust, private trust, or a combination of the two? What do the different options mean, and what are the considerations around each?
In Part 1, we reviewed the concept of policy authorities and did a deep dive on public trust, talking about the benefits and drawbacks of that model. In Part 2, we conduct a similar deep dive on private trust and discuss public/private hybrid approaches that might benefit your organization.
By contrast, "private trust" describes the situation where the operator of the public-key authentication system owns and operates its own root certification authority, and takes on the tasks of defining its own operating procedures (which may be more or less stringent than the browser regime) and distributing its root CA public key to its endpoints.
The complexity of the distribution process depends upon your use case. For a corporate CA focused on certificates for internal use only, distributing the root CA public key should be pretty simple; after all, you are in control of all of those systems. You might also set up a private trust CA that interacts with a small, well defined set of partners. While you will need your partners’ cooperation to distribute your root CA certificate, this should be easy to manage. If you are trying to establish trust with tens of thousands of customers, private trust requires that each of them install your root certificate; at that scale, be prepared for an influx of support calls.
Private trust also requires the expertise to develop and maintain your own set of policy requirements. That expertise may either be in-house, or you may leverage your PKI vendor (Entrust Datacard has guided many a customer in developing trust policies). Other costs and expertise requirements will vary, depending on whether you manage your CA in house or pay your PKI vendor to manage it for you.
A major benefit of private trust is that it gives you back your autonomy, as you can define the trust policy that works for your organization. An organization using the private-trust model that has SHA-1 embedded in its systems has considerably more flexibility around the timing to remove it, because they are not subject to the CAB Forum’s guidelines (to be clear, they should still remove it).
Let’s not underestimate the importance of that flexibility. The browsers' requirements change over time, and deadlines for achieving compliance are unforgiving and sometimes quite challenging. Complex ecosystems often include bespoke components, and these are seldom designed with algorithm-agility in mind. Furthermore, the expertise required to update such components may have been lost or be temporarily unavailable when needed. As a result, it may not be possible to maintain compliance, causing public trust to be withdrawn, with costly consequences.
Finally, a word on cost. While public trust is a lower cost option if you just need to purchase a few dozen certificates, the model gets turned on its head if you’re looking for thousands of certificates on internal systems. If public trust is not required, it may be less expensive to purchase your own CA, come up with flexible policy, and issue all of the certificates that you need.
Which is right for you? The answer is “it depends” and possibly “both.”
At Entrust Datacard, we have seen customers successfully deploy both public trust and private trust models. Oftentimes, they have gone with a hybrid approach, deploying private trust for their internal systems and public trust for their customer facing sites. Some customers have taken advantage of shared private trust offerings to leverage a private policy that they do not have to define or manage (more on this in a future post). The considerations boil down to the need for public trust, flexibility and cost.
When making a decision, consider your organization’s requirements and think about whether more than one model might apply. It’s possible that your business or industry might require public trust in some areas, but maybe not all of them. Segmenting your infrastructures and requirements can help you reach maximum flexibility and minimum cost.