Almost every engagement I worked on resulted in authoring a combination of high and low-level designs, operational guides, key signing ceremonies and integration guides. The selection of documents published on this page have been vastly redacted, anonymised and / or truncated.
Links to PDFs are included in the following tables.
I was commissioned by Thales e-Security to author a white paper providing a detailed examination of architectural best practices when deploying Offline Certification Authorities (CAs) and Hardware Security Modules (HSMs).
After nCipher was divested from Thales in 2019, the document was reformatted and republished by nCipher – by this time I’d retired.
I was commissioned by my employers of the time, Oxford Computer Group (now Kocho), to author a white paper which explains PKI at a high level. The document is targeted at illuminating “how Microsoft does PKI with ADCS” (Active Directory Certificate Services).
The design incorporated ADCS and Thales HSMs. The solution had two tiers: a Root CA and four Issuing CAs; one of the Issuing CAs cross-certified with a third-party CA.
The design was based upon a two-tier ADCS, deployed entirely on a VMWare virtualisation platform. All CA private key material was solely protected in software (no HSMs).
The solution incorporated Microsoft CLM (latterly FIM-CM) smart card management system, which was coupled with ADCS and nCipher HSMs. The customer requirement was to issue smart cards in over sixty countries.
The architecture design was for a remote access VPN solution. It incorporated machine authentication with digital certificate (PKI) combined with RSA SecurID based user authentication.
This technical note describes the approach taken to move symmetric keys, protected by nCipher HSMs, which were utilised by a smart card management system. The keys were moved between two FIPS 140-2 level 3 security worlds – via an intermediary HSM configured at FIPS 140-2 level 2.
A support document which incorporated ADCS in its solution; it addresses routine operations such as Root CA CRL publication, CRL promulgation, scripted or ad hoc certificate enrolment, PKI monitoring, etc.
A support document describing a process to recover a decryption private key in the event of its loss, for use with Windows Encrypting File System (EFS).
The technical note describes a tactical code signing exercise which: 1) creates a self-signed certificate and private key with PowerShell, 2) converts a PFX to P12 using OpenSSL, 3) imports the P12 into a Java key store.
A KSC for publishing a Root CA CRL in a very prescriptive and disciplined manner. The Root CA was deployed on a laptop running VMWare Workstation, which hosted a Windows Server virtual guest, upon which was installed the offline Root CA.
I put together a slide show to explain the PKI Solution I had designed, and how various elements of the infrastructure leveraged it. There’s content related to WPA2 using IEEE 802.1X, RADIUS, LDAP/S, mutual HTTPS and eMail signing using S/MIME. The presentation is complemented by a high-level overview of the solution.
There’s nothing particularly illuminating about anything I presented / described, but I loved the project acronym for Two Factor Authentication – Next Generation: 2FANG!
I’d helped to implement cross-certification between two major UK public sector organisations, which wasn’t working as anticipated. The email dialogue is a partial record of some of the deduction which was involved in understanding why certificate trust chains didn’t build correctly when accessing a web-site over TLS.
After a one day site visit to a customer, I put together a report (proposal) for a solution integrator encompassing how the design I envisaged would satisfy the requirements which I had gleaned.
A test plan which incorporated Intercede MyID in its solution; it instructs on how to perform basic smart card tasks such as requesting cards, issuing cards, certificate revocation and granting operator rights entitlement.
A report investigating available options for simplifying the logon experience after two banks were merged. The banks had separate Active Directory (AD) forests which couldn’t be ‘joined’ via AD trusts. The banks had different outsourcing partners – IBM and EDS, they couldn’t agree to do anything together!
After being away from a customer for two years due to my injury in July 2015, I spent a few weeks from July 2017 doing some new work for them. One of my deliverables was a report containing my observations of what I perceived they were doing incorrectly and recommendations on how they could improve matters.
Legacy (old) documents can be viewed on the following page.
