What do you think about securing an inter-application communication channels with an SSL-like solution? Or any solution that takes crypto certificate management procedures to be introduced? Well, yes, I also think it’s great even in fairly complex environments, provided it’s done right. And unfortunately, usually it isn’t.

Why? Because doing it right costs money and a lot of it. The amount seriously depends on the size of the infrastructure and its architecture. It’s also not all the same if we maintain the CA ourselves or we buy each and every certificate from some external CA.

To be sure our communication channels are secured we need to properly manage our certificates' lifecycle — we need to generate them or buy when we need to set up a new secured link, we need to make sure private keys are stored securely and if we suspect their security might have been compromised, we need to revoke them from usage and regenerate new ones. And finally, once the expiration date comes, we need to renew them — the never-ending, or close, validity period should be considered insecure by its very nature.

Often it’s crucial that we manage to renew the certificate before its validity period finishes, else the so-very-important-business-process gets stuck and we’re sooo gonna get it. And that’s precisely why the expensive certificate and keys management procedures, underlying management software and staff that knows how to operate it are pretty useful to have.

Needless to say, the in-house CA adds a lot of trouble and effort to the already not that great situation. And since trouble and effort equals money, the best way to go is as usual up to the cost/benefit analysis. And, as usual, it may prove worthwhile to actually check if the links really need crypto protection, which in turn is up to the risk analysis.

And just for the record, passwords are so much worse of an option and so much more trouble that I decided to not even mention it… oh, damnit…

For the Polish speaking lot of you, here is what I have been talking about at the last Grill IT about a week ago.

If you'd like to meet me in person, please check out where I'm about to speak next.

Once again news for those of you who speak Polish, as the conference will be held in Polish.

The event has a pretty long tradition of 22 editions, but this year for the first time audience has been invited to actively participate in shaping the agenda. Unfortunately, it’s already too late to voice your opinion, but I think it may be worth considering visiting the conference anyway. I’m planning to be there (if only time allows me) and I’m watching closely to see how is the vox populi, vox dei idea catching on.

In other news, there is a parallel initiative, 2nd International Workshop on Secure Information Systems, held in English — please feel free to check out the details.