GloalSign & PKI
A X.509 digital certificate
allows each participant (person/company/device) of an electronic transaction
to prove his identity towards the other participants. Public Key Infrastructure
(PKI) is the application of X.509-based digital certificates to establish
secure communication, messaging and/or transactions over networks. Digital
certificates are used to establish authentication (certainty of the other
party’s identity), confidentiality (secrecy of exchanged content),
integrity (inability to change content afterwards), and non-repudiation
(proof of transaction validity afterwards).
In the solution provided to Kintera by GlobalSign, Kintera will become
a virtual Certificate Authority (CA; manages the Certificate life cycle
including issuing, maintaining and publishing, and suspending and revoking
Certificates), be able to be a Registration Authority (RA; entity able
to verify an applicant’s identity, initiate the issuing of Certificates
on behalf of the CA) and be able to enable Validators or Registrars to
be RAs. GlobalSign’s root certificates are recognized by all browsers
in common usage and as such Kintera’s certificates will be universally
accepted. GlobalSign will also provide the systems to generate the Secure
This is the GlobalSign architecture that supports the PKI:
GlobalSign’s network is set up to provide full multi-level fail
over and redundancy. All components are mirrored, provide backup-routes
and systems, load-balancing, redundancy etc.
GlobalSign’s Data Center is located in a secure vault, built according
to SET and several Banking and Industry security standards.
GlobalSign’s primary site (GlobalSign HQ, Brussels):
- Dual power plant power supply: GlobalSign has 2 incoming power cables,
coming from 2 different power plants.
- Power redundancy is provided by a Diesel Generator, with heated Diesel
fuel, tested once a month (hot stand-by)
- Dual UPS in redundancy to cover the 3-7 second startup time for the
diesel. Can provide full load data center with power for 12 minutes.
- Dual Air conditioning systems.
- Dual power supply in servers.
- Fire protection by means of Argonite Gas to prevent water damage,
and to allow staff to survive and continue working ASAP.
- As shown in the diagram, all systems are in dual connection and hot-plug
stand-by through application switches.
Security at GlobalSign’s HQ and Data Center is my means of several
Intrusion Detection Systems, Alarms, Vibration and Motion Detection, Heat
Detection, Dual Control Access With 3-Factor Authentication (incl. Biometrics),
CCTV monitoring and extended logging and monitoring by both GlobalSign
and external guard companies.
GlobalSign’s Servers are typically Compaq or Dell servers, running
Windows NT, Windows 2000, Linux or Solaris Operating Systems. Other running
applications include Oracle, SQL, and Open LDAP.
GlobalSign’s Backup Site:
To provide Disaster Recovery in case of loss of the primary site, GlobalSign
can offer operation of a hot backup site as an option. This site is duplicated
through redundant Fibre Channel connections.
Technologies used for duplication to a hot-standby backup site are:
- RadWare WSD (Web Server Director)
- Veritas Storage Replicator
- ColdFusion ClusterCATS
- Compaq MA8000 – ESA12000
- Sanworks DRM
Below is a digram showing how the Secure Seal will be used to connect
to the DotOrg database and force a page requiring SSL and exposing the
lock on the bottom of a browser and the certificate information.