Until this spring, there seemed to be no recognition of the need to document a path construction methodology, let alone provide public-domain code for it.

Vendors had three choices: They could figure out the graph theory themselves (all PKI programmers are mathematicians, right?), use a toolkit such as Entrust or CAPI 2.0, or support only simple hierarchical PKIs. Certificate-path validation was equally daunting: Either read X.509 and RFC 2459 or use one of the commercial toolkits (and hope they got it right). The development of public-domain source code is an important step in PKI maturation, and it is worth studying to see how a COI (community of interest) can make a difference in the advancement of usable technologies.

In February 1998, the U.S. Federal PKI technical workgroup revised its Conops (Concept of Operations, see csrc.nist.gov/pki/twg/baseline/pkicon20b. PDF), changing from a hierarchical to a cross-certified PKI model. There was some concern about the change, particularly within Defense. At the time, support for cross-certification in a PKI was hard to find in deployed products. The NSA undertook the task of producing a pilot PKI using the federal PKI model.

In April 1999, I brought up the problem of lack of documentation for path construction to the workgroup. The NSA approached one of its principal contractors, Cygnacom, to develop a document on path construction and provide a source implementation as a part of the CA Interoperability Demonstration (csrc.nist.gov/pki/twg/presentations/twg-99-56.pdf). Dr. Santosh Chokhani of Cygnacom (a recognized authority in the X.509 community) presented his path construction methodology in July (csrc.nist.gov/ pki/twg/presentations/twg-99-44.pdf), and his programmers delivered the source code at the September workgroup meeting. The short time from problem discovery to product delivery is a testament to the people involved in the NSA pilot. More important, it shows that a group of technology users can make a difference, and rapidly at that.

The U.S. government has been making advancements in PKI. The information you can "borrow" on the NIST (National Institute of Standards and Technology) Web site now points to actual code for your development teams and your vendors. "Certificate-path processing can't be done" no longer applies. Design your PKI to meet your business goals, and tell your vendors to produce the standards-based products you need.

Robert Moskowitz is a senior technical director at ICSA. Send your comments on this column to him at rgm@htt-consult.com.