Pki-based System Management∗

This article deals with the deployment of a secure IT infrastructure on a company-wide basis. This means to be able to provide secure network services to the users, independent of their physical location: on-site (via LAN) or off-site (via WAN or an external ISP). The security solution is based on the usage of X.509 certificates to perform authentication both of the users and the network’s nodes/services. The corresponding private key can be stored either on a smart-card (for mobile users) or on a secure workstation (for users that always access the services from the same workstation). Authorization can be managed either via an LDAP directory that stores users’ profiles and rights, or via attribute certificates issued directly by the managers of the services. The system will support security at two main levels: application-level, via SSL channels or S/MIME messages, and networklevel, via IPsec. Moreover, the infrastructure is conceived with flexibility as a primary goal. This derives from the fact that the infrastructure will also incoporate advanced security services based on new or forthcoming protocols such as online certificate status protocol (OCSP), time stamping protocol (TSP), and to provide common framework for secure electronic documents based on the EESSI (European electronic signature standard initiative) standard formats.