Network Computingwww.networkcomputing.com

Clearly, you need a full-scale security strategy to take advantage of PKI. To be effective, this strategy must encompass certain electronic security measures, including a firewall, intrusion detection devices, and cryptographic hardware for key storage and recovery. You also must have a physical security installation that limits access to the console running the software. And you need to ensure 24x7 operation. Finally, be sure to factor in the costs associated with training or hiring personnel who can put the PKI together. These people must be able to turn the PKI into a seamless, integrated, secure system that will withstand attack and auditing. This is no simple feat. You'll need administrators who understand network security as well as developers who can build secure applications using PKI tool kits.

If your business depends on network-based transactions, such as business-to-business e-commerce, you need to start investing in PKI now. At the very least you should familiarize yourself with the market and learn some early lessons from pilot projects. The tools or software you need will vary greatly depending on your situation. For example, if you're looking at creating an online store, a signed server certificate from a well-known CA, such as VeriSign, might enable your Web site for SSL (Secure Sockets Layer) transactions.

Essentially, a PKI is a secure repository storing information about users and devices in digital certificates. Digital certificates are "signed" by a trusted third party, so you can have faith that a certificate positively identifies the certificate presenter. But that is all a PKI does. The value of the PKI rests with ERP (Enterprise Resource Planning) applications, VPNs (virtual private networks), client-side SSL and other applications that leverage it. By attaching attributes to a certificate, a VPN device, for example, can use the certificate to specify encryption algorithms and key lifetimes, while a firewall can use the certificate for authentication and access control. E-commerce and supply-chain applications can manage financial risk by using certificate attributes specifying a user's purchase limit. The applications are endless.

Forming the Infrastructure
PKI vendors talk at length of a world where electronic identities are tied to certificates. Your credentials and authorization information are carried in digital paper ready to plug into the network. You and your users carry certificates either in a secure store on your hard drive or on an electronic token. A user can have one or many certificates all seamlessly managed through an intelligent interface, which certificate-aware applications can readily use. However, industry consolidation is still in the future (see "Prologue to a Protocol," www.networkcomputing.com/1012/1012colmoskowitz.html). Standards are always slow to solidify, but it will happen, and different vendors' products eventually will interoperate. No one vendor or group of vendors is driving the industry, and every vendor's survival depends on seamless interoperability.

Meanwhile, in a bid to drive PKI adoption, CA vendors are offering development tool kits and APIs for use by application developers to enable programs with PKI support. Entrust Technologies, for example, gives away its tool kits. But PKI-enabled applications often will work only with specific CAs. ERP packages, such as PeopleSoft, use only a few PKI-related products in alliance programs.

With existing standards changing rapidly and new standards joining the mix, a cottage industry has evolved aimed squarely at filling in the divots left by PKI vendors and standards bodies. CA vendors, API developers, application vendors and service providers are coming together to interoperate at all levels of the PKI and provide seamless integration. Critical issues loom large for the PKI industry, such as certificate-management protocols, client-side certificate support and token support. Fundamental management problems, including automated certificate management and renewal and certificate-revocation checks, are being ironed out. Still, some gelling of common architectures and standards is taking place. And the focus within the PKI industry is beginning to shift from basic interoperation of protocols to using PKI to solve complex business models. This is a good sign, and it means we'll soon see many more PKI-enabled applications.

PKI is already in heavy use at companies securing Web commerce using server-side SSL. But at this stage we've barely scratched the surface of PKI's value. PKI pilot deployments have been limited to VPN installations, online banking and supply-chain management. We've yet to see wide-scale deployment, involving millions of users. Implementing the PKI into the enterprise is a risky, and potentially costly, proposition. There are still enough gray areas in the standards to make even the boldest IT manager cautious. And even if vendor implementations conform to the standards, they may not interoperate because of differing interpretations of those standards.

Much of the work, such as cross-certification and client-side certificate revocation, is a manual process and won't scale to the enterprise. At this point, you'd be wise to limit use of PKI-enabled applications to pilot projects or look at vendors that provide a full PKI solution with broad application support, such as Entrust--even if it means you are tied to Entrust-enabled applications for the short term.