Design and Solution Documents
All of the published documents on this web site are vastly redacted, anonymised and / or truncated. Links for each document (PDF) are included in the paragraph summaries below.
________________________________________________________________________________________________
White Papers
Offline CA HSM Best Practices for Thales / nCipher
I was commissioned by Thales e-Security to author a white paper providing a detailed examination of architectural best practices on deploying offline certification authorities and Hardware Security Modules (HSMs). The paper articulates PKI trade‐offs in security, simplicity, availability and cost. Click on the link here to download it as I wrote it for Thales: Offline CA Best Practices White Paper. After nCipher was spun out of Thales in 2019, the document was reformatted and re-published (by this time I had retired) - you can access it by clicking this link.
Active Directory Certificate Services (ADCS) for Oxford Computer Group
I was commissioned by ThirdSpace (formerly Oxford Computer Group), the identity and security management specialists for enterprises, to author a white paper which explains PKI at a very high level and describes "how Microsoft does it". Click on the link here to download it: ADCS White Paper.
_______________________________________________________________________________________________
Designs
Microsoft ADCS Design Utilising HSMs
A design document which incorporated Active Directory Certificate Services (ADCS) and nCipher Hardware Security Modules (HSMs). The solution had two tiers: a Root CA and four Issuing CAs, one of the Issuing CAs cross-certified with a third-party CA.
Microsoft ADCS Design without Utilising HSMs
A design document which incorporated ADCS deployed entirely on a VMWare networked virtualisation platform. All CA private key material was solely protected in software (no HSMs).
SafeNet HSMs Design
A design document based upon a three-tier PKI, which utilised SafeNet HSMs to protect private key material.
HID ActivID Smart Card Management System Design
A design document which incorporated HID ActivID smart card management, coupled with ADCS and nCipher HSMs.
Microsoft FIM-CM Smart Card Management System Design
A design document which incorporated FIM-CM (Microsoft smart card management) in its solution, for issuing smart cards in sixty countries. FIM-CM was coupled with ADCS and nCipher HSMs.
________________________________________________________________________________________________
Engineering
Microsoft ADCS Detailed Engineering
An engineering document which incorporated ADCS. Essentially, the document describes the purpose of the installation and operational scripts.
Migration of HSM Protected Keys
This overview describes the approach taken to move symmetric keys, protected by nCipher HSMs, used by a smart card management system. The keys had been protected by an HSM deployed using a FIPS 140-2 level 3 security world and needed to be moved to a new target HSM at level 2 - via an intermediate / temporary level 2.
____________________________________________________________________________
Operational Guides
Microsoft ADCS Operation
A support document which incorporated Microsoft PKI in its solution, it includes routine operations such as Root CA CRL publication and transferral (promulgation), scripted or ad hoc certificate enrolment, PKI monitoring, etc.
Microsoft ADCS Key Recovery
A support document describing a process to recover a decryption private key in the event of its loss.
Java Code Signing
The document describes a tactical code signing exercise: 1) creating a self-signed certificate and private key with PowerShell, 2) converting a PFX to P12 with OpenSSL, 3) importing the P12 into a Java key store. The approach was described in this technical instruction (note).
___________________________________________________________________________
Testing Guides
Intercede MyID Smart Card Management
A test plan which incorporated Intercede MyID in its solution and instructed upon how to perform basic smart card tasks such as requesting cards, issuing cards, certificate revocation and granting operator rights entitlement.
____________________________________________________________________________
Integration Consulting
Two AD Forests with One Credential
A report investigating available options for simplifying the logon experience after two banks were merged. The banks had separate Active Directory (AD) forests which couldn't be 'fully joined' as they had different outsourcing partners (IBM and EDS) - who couldn't agree to do anything together!
____________________________________________________________________________
Key Signing Ceremony (KSC) Documents
Root CA CRL Publication
A KSC for publishing a Root CA CRL in a very prescriptive and disciplined manner. A laptop running VMWare Workstation hosted a virtual guest on which contained the offline Root CA.
Changing Private Key Protection
A KSC for changing the nCipher HSM key protection of an Issuing CA private signing key from Operator Card Set (OCS) to "module only".
____________________________________________________________________________
Troubleshooting
SSL Problem Dialogue
I'd helped to implement cross-certification between two major UK public sector organisations, but it wasn't working! The email dialogue is a partial record of some of the deduction that was involved in understanding why certificate trust chains didn't build correctly when accessing a web-site over SSL. The deduction led me to fully understand the problem, enabling an approach to overcome it be deployed.
Observations and Recommendations
After being away from a customer for 2 years due to my TBI in July 2015, I spent a few weeks from July 2017 doing new work for them. One of my deliverables was a report containing my observations of what I perceived they were doing incorrectly and recommendations to improve matters.
____________________________________________________________________________
General
PKI Solution Design and Use Cases
I put together a slide show as a background for explaining the PKI Solution I had designed, and how various elements of the infrastructure leveraged it. There is content related to WPA2 using IEEE 802.1X, RADIUS, LDAP/S, mutual HTTPS and eMail signing using S/MIME. There is a high-level overview of the solution described here.
PKI Workshop for a Solution Migration
I ran a workshop entailing me explaining:
There's nothing particularly illuminating about anything I presented and described, but I loved the project acronym for Two Factor Authentication - Next Generation: 2FANG!
Report Proposal for a Strong Authentication Solution
After a one day site visit to a customer, I put together a report (proposal) for a solution integrator encompassing how the design I envisaged would satisfy the requirements which I had gleaned.
____________________________________________________________________________
Material Not Shared
There are dozens more KSC documents... but they won't be shared!
Over the years, lots of engineering / detailed design documentation has been produced, but the redacting and anonymising process took away about 50% of the content. In a nutshell - it wasn't worth the bother!