Introduction

Almost every engagement I worked on resulted in authoring a combination of high and low-level designs, operational guides, key signing ceremonies and integration guides. The selection of documents published on this page have been vastly redacted, anonymised and / or truncated.

Links to PDFs are included in the following tables.

White Papers

DOCUMENTDESCRIPTION
Offline CA HSM Best Practices for ThalesI was commissioned by Thales e-Security to author a white paper providing a detailed examination of architectural best practices when deploying Offline Certification Authorities (CAs) and Hardware Security Modules (HSMs).
After nCipher was divested from Thales in 2019, the document was reformatted and republished by nCipher – by this time I’d retired.
ADCS for Oxford Computer GroupI was commissioned by my employers of the time, Oxford Computer Group (now Kocho), to author a white paper which explains PKI at a high level. The document is targeted at illuminating “how Microsoft does PKI with ADCS” (Active Directory Certificate Services).

Designs

DOCUMENTDESCRIPTION
ADCS Utilising HSMsThe design incorporated ADCS and Thales HSMs. The solution had two tiers: a Root CA and four Issuing CAs; one of the Issuing CAs cross-certified with a third-party CA.
ADCS without Utilising HSMsThe design was based upon a two-tier ADCS, deployed entirely on a VMWare virtualisation platform. All CA private key material was solely protected in software (no HSMs).
Three-Tier PKI with SafeNet HSMsThe solution incorporated a three-tier PKI, which utilised SafeNet HSMs to protect private key material.
ActivIdentity Smart Card Management System DesignThe design was based around the ActivIdentity (latterly HID ActivID) smart card management system, coupled with ADCS and nCipher HSMs.
CLM Smart Card Management System DesignThe solution incorporated Microsoft CLM (latterly FIM-CM) smart card management system, which was coupled with ADCS and nCipher HSMs. The customer requirement was to issue smart cards in over sixty countries.
VPN Authentication ArchitectureThe architecture design was for a remote access VPN solution. It incorporated machine authentication with digital certificate (PKI) combined with RSA SecurID based user authentication.

Engineering

DOCUMENTDESCRIPTION
ADCS Detailed EngineeringAn engineering document for a solution incorporating ADCS, it describes the purpose of each of the installation and operational scripts.
Migration of HSM Protected KeysThis technical note describes the approach taken to move symmetric keys, protected by nCipher HSMs, which were utilised by a smart card management system. The keys were moved between two FIPS 140-2 level 3 security worlds – via an intermediary HSM configured at FIPS 140-2 level 2.

Operation Guides

DOCUMENTDESCRIPTION
ADCS OperationA support document which incorporated ADCS in its solution; it addresses routine operations such as Root CA CRL publication, CRL promulgation, scripted or ad hoc certificate enrolment, PKI monitoring, etc.
ADCS Key RecoveryA support document describing a process to recover a decryption private key in the event of its loss, for use with Windows Encrypting File System (EFS).
Java Code SigningThe technical note describes a tactical code signing exercise which: 1) creates a self-signed certificate and private key with PowerShell, 2) converts a PFX to P12 using OpenSSL, 3) imports the P12 into a Java key store.

Key Signing Ceremony (KSC) Documents

DOCUMENTDESCRIPTION
Root CA CRL PublicationA KSC for publishing a Root CA CRL in a very prescriptive and disciplined manner. The Root CA was deployed on a laptop running VMWare Workstation, which hosted a Windows Server virtual guest, upon which was installed the offline Root CA.
Changing Private Key ProtectionA KSC for changing the nCipher HSM key protection of an Issuing CA’s private signing key from Operator Card Set (OCS) to “module only”.

General

DOCUMENTDESCRIPTION
Design and Use Case PresentationI put together a slide show to explain the PKI Solution I had designed, and how various elements of the infrastructure leveraged it. There’s content related to WPA2 using IEEE 802.1X, RADIUS, LDAP/S, mutual HTTPS and eMail signing using S/MIME. The presentation is complemented by a high-level overview of the solution.
Solution Migration WorkshopThere’s nothing particularly illuminating about anything I presented / described, but I loved the project acronym for Two Factor Authentication – Next Generation: 2FANG!
TLS Troubleshooting DialogueI’d helped to implement cross-certification between two major UK public sector organisations, which wasn’t working as anticipated. The email dialogue is a partial record of some of the deduction which was involved in understanding why certificate trust chains didn’t build correctly when accessing a web-site over TLS.
Proposal for a Strong Authentication SolutionAfter a one day site visit to a customer, I put together a report (proposal) for a solution integrator encompassing how the design I envisaged would satisfy the requirements which I had gleaned.
Intercede MyID Smart Card Management (Test Plan)A test plan which incorporated Intercede MyID in its solution; it instructs on how to perform basic smart card tasks such as requesting cards, issuing cards, certificate revocation and granting operator rights entitlement.
Consulting - Two AD Forests with One CredentialA report investigating available options for simplifying the logon experience after two banks were merged. The banks had separate Active Directory (AD) forests which couldn’t be ‘joined’ via AD trusts. The banks had different outsourcing partners – IBM and EDS, they couldn’t agree to do anything together!
Observations and RecommendationsAfter being away from a customer for two years due to my injury in July 2015, I spent a few weeks from July 2017 doing some new work for them. One of my deliverables was a report containing my observations of what I perceived they were doing incorrectly and recommendations on how they could improve matters.

Legacy (old) documents can be viewed on the following page.