PKI Architectures: How to Choose One - Criteria to Choose a Certain PKI Architecture (Page 3 of 4 )
As I described in the previous section, we could select one of the three main PKI architectures (single, hierarchical and mesh) to implement in our own situation. Before implementing a PKI system, someone should weight the criterion mentioned below according to the specific needs and requirements of the organization to decide which PKI architecture is more appropriate:
Budget
The budget of the organization poses a constraint in choosing a PKI model, as it needs to buy dedicated machines to host each CA. A single architecture requires only one machine to host the CA, whereas a hierarchical or mesh architecture need several machines (along appropriate software, licenses, etc.) to support these kinds of PKI configurations. In addition, their is the need for hiring more personnel in order to operate CAs, thus spending more money.
Human Resources
The size of the organization (and thus the number of employees) constitutes another limitation in choosing a PKI model.
A single architecture is preferred when the organization is small and does not accept many requests for certificates. Also, small organizations usually do not want to occupy dedicated personnel in operating the CA; they assign CA operation to someone who has already other responsibilities as well. In addition, a single architecture is simple to deploy, therefore it doesn't require much technical experience.
In the case of larger organizations, the choice of either hierarchical or mesh architecture is feasible assuming that appropriate personnel is available to manage CAs' operation.
Structure of Organization
The structure of the organization plays an important role in selecting the right PKI architecture. Small organizations should focus on implementing a single PKI architecture as this configuration scales easily to support a small community of users.
Large organizations should avoid single architecture as it doesn't scale well; they should choose between a hierarchical and a mesh architecture. Trust relationships are frequently mapped according to the structure of the organization, i.e. the structure of many organizations such as the government is largely hierarchical. A hierarchical architecture is suitable when the departments of the organization have distinct operations and do not need to exchange information often. In addition, managing a hierarchical architecture is easier than having to manage a mesh architecture with many trust relationships. On the other hand, a mesh architecture is preferred (rather than hierarchical) when users / group of users/ departments etc communicate frequently. It allows direct cross certification of the CAs of the end entities that need to communicate often, reducing certification path processing load. However, it does pose a more complex management of the PKI system as sometimes path discovery is difficult since there are multiple choices.
Resilience of CA
In a single architecture, if the CA is compromised no one could obtain any certification services. This problem exists in a hierarchical architecture also. When a "root" CA is compromised, this results in the the entire PKI being compromised. This problem results from the reliance on a single trust point. A mesh architecture is more resilient since there are multiple trust points. Therefore, if a single CA is compromised, this cannot damage the entire PKI system. Also, recovery is simpler in a mesh architecture than in a hierarchical; the new public key is securely distributed to the users of the recovered CA, affecting fewer users.
Next: Conclusions >>
More Security Articles
More By Eliana Stavrou
/ 17 
