So, we're all set to have a firewall, SSL connections and a good secure OS solution.
However, somebody is convinced we need to issue and manage our own public keys. The managing is fine, Apache will do that. If we were not doing this commercially the issuing would be fine to, just use PGP. However, this is a commercial web site. So, what is the best option? - RSA offer a package that works for around $14 a seat (depending on how many people have keys), but we don't want to pay per seat. - Verisign offer a package that looks similar, but costs around $16,000 a 'server', which is a break even with around 2000 users, but still expensive. - PGP commercially offer something similar, but it does lots of other stuff as well that we don't need. - Microsoft claims to offer it on Windows 2000, but their web-site is very coy about prices, key sizes and pretty well anything else you need to know - I have seen some positive reviews about it, though. It must be pretty new though, so I would imagine buggy. So, and please correct me if I am wrong, the above selection doesn't look good. There are some other possibilities: - iPlanet looked good, but, for our application there are apparently some licensing issues - Mozilla PKI looks as if it might be complicated, and I am not clear if commercial use is fine - maybe you can tell me! - Presumably one could roll one's own code... Any suggestions welcome! -- 'Thou shalt have one God only; who Would be at the expense of two?" The Latest Decalogue - Arthur Hugh Clough
