RSS |
 |
| C O L U M N | |
| |
An Unlikely PKI Cavalry November 1, 1999 By ROBERT MOSKOWITZ 
I have often lamented the lack of progress with some key components of PKI (public key infrastructure), including certificate-path construction and path validation. Path construction and validation are critical processes for supporting complex e-commerce PKIs; without them, we'll be forever trapped in the current Web PKI model (perhaps more aptly spelled 'PKi,' given the lack of a grand infrastructure for public keys). But I am happy to report that public-domain source code is now available for path construction from Cygnacom Solutions (www.cygnacom.com) and for path validation from J. G. Van Dyke & Associates (www.jgvandyke.com). Public-domain source code provides critical reference implementation for getting new functionality in products. Both types were funded by an unlikely source--the NSA (National Security Agency).The NSA is not always the boogeyman in the crypto community. One of its charters is to assist the Department of Defense in procuring secure COTS (commercial, off-the-shelf) products. In the PKI field, this has meant working with standards bodies and vendors, running pilots and funding code development. The NSA people involved in this work are sincere in their commitment to open processes. Until this spring, there seemed to be no recognition of the need to document a path construction methodology, let alone provide public-domain code for it. Vendors had three choices: They could figure out the graph theory themselves (all PKI programmers are mathematicians, right?), use a toolkit such as Entrust or CAPI 2.0, or support only simple hierarchical PKIs. Certificate-path validation was equally daunting: Either read X.509 and RFC 2459 or use one of the commercial toolkits (and hope they got it right). The development of public-domain source code is an important step in PKI maturation, and it is worth studying to see how a COI (community of interest) can make a difference in the advancement of usable technologies. In February 1998, the U.S. Federal PKI technical workgroup revised its Conops (Concept of Operations, see csrc.nist.gov/pki/twg/baseline/pkicon20b. PDF), changing from a hierarchical to a cross-certified PKI model. There was some concern about the change, particularly within Defense. At the time, support for cross-certification in a PKI was hard to find in deployed products. The NSA undertook the task of producing a pilot PKI using the federal PKI model. In April 1999, I brought up the problem of lack of documentation for path construction to the workgroup. The NSA approached one of its principal contractors, Cygnacom, to develop a document on path construction and provide a source implementation as a part of the CA Interoperability Demonstration (csrc.nist.gov/pki/twg/presentations/twg-99-56.pdf). Dr. Santosh Chokhani of Cygnacom (a recognized authority in the X.509 community) presented his path construction methodology in July (csrc.nist.gov/ pki/twg/presentations/twg-99-44.pdf), and his programmers delivered the source code at the September workgroup meeting. The short time from problem discovery to product delivery is a testament to the people involved in the NSA pilot. More important, it shows that a group of technology users can make a difference, and rapidly at that. The U.S. government has been making advancements in PKI. The information you can "borrow" on the NIST (National Institute of Standards and Technology) Web site now points to actual code for your development teams and your vendors. "Certificate-path processing can't be done" no longer applies. Design your PKI to meet your business goals, and tell your vendors to produce the standards-based products you need. Robert Moskowitz is a senior technical director at ICSA. Send your comments on this column to him at rgm@htt-consult.com.
| |
Upcoming Events
Cloud Connect
Santa Clara
Feb 13-16, 2012
Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.
Register Now!
Subscribe to Newsletter
- Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Vendor NewsFeed
- CollabNet Adds Git Source Code Management To Codesion Enterprise Cloud Development Platform
- Synology Announces New Line Of Economical RackStation Network Attached Storage
- New Application Server From AquaFold Makes Data Warehousing And Business Intelligence Fast And Simple
- Synology Announces 2 Bay Series - A NAS For Every Network
- Ericom AccessNow For Enterprise Portals - Secure, Portal-based, HTML5 Web Access To Windows Applications, Desktops And Services
- Good Technology Announces iOS 5 Support For Good For Enterprise
Research and Reports
FEATURED RESEARCH
State of Server Technology
FEATURED STRATEGY
The Long-Distance LAN
Register for Network Computing Pro
Find hundreds of reports featuring research from your peers, and best practices from top IT pros. Sign UpAugust 2011
Video
Most Popular
Featured Whitepapers
- Mobile BI: Actionable Intelligence for the Agile Enterprise
- How To Regain IT Control In An Increasingly Mobile World - by BlackBerry
- The BlackBerry PlayBook tablet's Good Bones - by BlackBerry
- Red Alert: Why Tablet Security Matters - by BlackBerry
- New Visual and Wizard-Driven Paradigms for Exploring Data and Developing Analytic Workflows
Featured Reports
BlogRoll
TechWeb Careers
-
There are a number of job listing scams naming Network Computing. For our official career postings, please see UBM TechWeb Career Opportunities.
