GloalSign & PKI

A X.509 digital certificate allows each participant (person/company/device) of an electronic transaction to prove his identity towards the other participants. Public Key Infrastructure (PKI) is the application of X.509-based digital certificates to establish secure communication, messaging and/or transactions over networks. Digital certificates are used to establish authentication (certainty of the other party’s identity), confidentiality (secrecy of exchanged content), integrity (inability to change content afterwards), and non-repudiation (proof of transaction validity afterwards).

In the solution provided to Kintera by GlobalSign, Kintera will become a virtual Certificate Authority (CA; manages the Certificate life cycle including issuing, maintaining and publishing, and suspending and revoking Certificates), be able to be a Registration Authority (RA; entity able to verify an applicant’s identity, initiate the issuing of Certificates on behalf of the CA) and be able to enable Validators or Registrars to be RAs. GlobalSign’s root certificates are recognized by all browsers in common usage and as such Kintera’s certificates will be universally accepted. GlobalSign will also provide the systems to generate the Secure Seals.

This is the GlobalSign architecture that supports the PKI:

GlobalSign’s network is set up to provide full multi-level fail over and redundancy. All components are mirrored, provide backup-routes and systems, load-balancing, redundancy etc.
GlobalSign’s Data Center is located in a secure vault, built according to SET and several Banking and Industry security standards.

GlobalSign’s primary site (GlobalSign HQ, Brussels):

  • Dual power plant power supply: GlobalSign has 2 incoming power cables, coming from 2 different power plants.
  • Power redundancy is provided by a Diesel Generator, with heated Diesel fuel, tested once a month (hot stand-by)
  • Dual UPS in redundancy to cover the 3-7 second startup time for the diesel. Can provide full load data center with power for 12 minutes.
  • Dual Air conditioning systems.
  • Dual power supply in servers.
  • Fire protection by means of Argonite Gas to prevent water damage, and to allow staff to survive and continue working ASAP.
  • As shown in the diagram, all systems are in dual connection and hot-plug stand-by through application switches.

Figure 1

Security at GlobalSign’s HQ and Data Center is my means of several Intrusion Detection Systems, Alarms, Vibration and Motion Detection, Heat Detection, Dual Control Access With 3-Factor Authentication (incl. Biometrics), CCTV monitoring and extended logging and monitoring by both GlobalSign and external guard companies.

GlobalSign’s Servers are typically Compaq or Dell servers, running Windows NT, Windows 2000, Linux or Solaris Operating Systems. Other running applications include Oracle, SQL, and Open LDAP.

GlobalSign’s Backup Site:

To provide Disaster Recovery in case of loss of the primary site, GlobalSign can offer operation of a hot backup site as an option. This site is duplicated through redundant Fibre Channel connections.

Figure 2

Technologies used for duplication to a hot-standby backup site are:

  • RadWare WSD (Web Server Director)
  • Veritas Storage Replicator
  • ColdFusion ClusterCATS
  • Compaq MA8000 – ESA12000
  • Sanworks DRM

Below is a digram showing how the Secure Seal will be used to connect to the DotOrg database and force a page requiring SSL and exposing the lock on the bottom of a browser and the certificate information.

Figure 3