Groups

When deciding on whether the Managed CA or the CA Software is most suited to you, you should understand the difference between an open and a closed user group. From a CA perspective, this relates to the extent of end user control you have. If the CA exercises some degree of control over the end user’s environment then it is a closed user group and if it doesn’t, it is in an open group.

The following are examples of the two types of user group:

• If you have sufficient control over your users and can ensure they all have Outlook® 2008, then this is considered a closed user group.
• If you issue all the certificates on smart cards, from a CA perspective, you control every aspect of the environment and this is a closed group.
• If you send thousands of email newsletters to a wide user group, you have no idea what email software they use, so this is an open group.
• If you have a small group of extranet users that you manage and they trust you, then this could be considered a closed user group.
• The tax payers in a country all belong to the closed group: tax payers and the tax authorities can enforce certain practices on its users
• The e Passport of the citizen from one country is still valid in another country is a closed group by conforming to international standards
• Two friends communicating over the internet but not knowing each others software is an open group because neither controls the other

It is not always immediately obvious whether a group is open or closed and it is important that this is determined accurately if your CA is to meet your precise requirements. If there is any doubt, contact the Digi-CAST™ Team and ask them to advise you.

If the user group is closed, then you may be able to use either CA. There are two exceptions to this when you want to secure:

• a server using a Secure Socket Layer [SSL] server certificate
• email using a client certificate

In 99% of cases an SSL certificate must be Trusted and if there is any possibility that the secure email is required outside the closed group, then the Trusted certificate is required here too. In both of these special cases, the Managed CA is your only choice.

The third consideration needed to help you select the correct CA for your organisation is the availability suitably trained and experienced technical personnel required to run and operate a CA. Most organisations don’t have this type of specialist staff within their organisation and therefore are best advised to use a Managed CA to deliver the required service.