An Unlikely PKI Cavalry | FullArticle

NEWS BLOGS FORUMS NEWSLETTERS RESEARCH EVENTS DIGITAL LIBRARY CAREERS

IMMERSE YOURSELF:

Storage & Servers


	C O L U M N

An Unlikely PKI Cavalry November 1, 1999 By ROBERT MOSKOWITZ I have often lamented the lack of progress with some key components of PKI (public key infrastructure), including certificate-path construction and path validation. Path construction and validation are critical processes for supporting complex e-commerce PKIs; without them, we'll be forever trapped in the current Web PKI model (perhaps more aptly spelled 'PKi,' given the lack of a grand infrastructure for public keys). But I am happy to report that public-domain source code is now available for path construction from Cygnacom Solutions (www.cygnacom.com) and for path validation from J. G. Van Dyke & Associates (www.jgvandyke.com). Public-domain source code provides critical reference implementation for getting new functionality in products. Both types were funded by an unlikely source--the NSA (National Security Agency). The NSA is not always the boogeyman in the crypto community. One of its charters is to assist the Department of Defense in procuring secure COTS (commercial, off-the-shelf) products. In the PKI field, this has meant working with standards bodies and vendors, running pilots and funding code development. The NSA people involved in this work are sincere in their commitment to open processes. Until this spring, there seemed to be no recognition of the need to document a path construction methodology, let alone provide public-domain code for it. Vendors had three choices: They could figure out the graph theory themselves (all PKI programmers are mathematicians, right?), use a toolkit such as Entrust or CAPI 2.0, or support only simple hierarchical PKIs. Certificate-path validation was equally daunting: Either read X.509 and RFC 2459 or use one of the commercial toolkits (and hope they got it right). The development of public-domain source code is an important step in PKI maturation, and it is worth studying to see how a COI (community of interest) can make a difference in the advancement of usable technologies. In February 1998, the U.S. Federal PKI technical workgroup revised its Conops (Concept of Operations, see csrc.nist.gov/pki/twg/baseline/pkicon20b. PDF), changing from a hierarchical to a cross-certified PKI model. There was some concern about the change, particularly within Defense. At the time, support for cross-certification in a PKI was hard to find in deployed products. The NSA undertook the task of producing a pilot PKI using the federal PKI model. In April 1999, I brought up the problem of lack of documentation for path construction to the workgroup. The NSA approached one of its principal contractors, Cygnacom, to develop a document on path construction and provide a source implementation as a part of the CA Interoperability Demonstration (csrc.nist.gov/pki/twg/presentations/twg-99-56.pdf). Dr. Santosh Chokhani of Cygnacom (a recognized authority in the X.509 community) presented his path construction methodology in July (csrc.nist.gov/ pki/twg/presentations/twg-99-44.pdf), and his programmers delivered the source code at the September workgroup meeting. The short time from problem discovery to product delivery is a testament to the people involved in the NSA pilot. More important, it shows that a group of technology users can make a difference, and rapidly at that. The U.S. government has been making advancements in PKI. The information you can "borrow" on the NIST (National Institute of Standards and Technology) Web site now points to actual code for your development teams and your vendors. "Certificate-path processing can't be done" no longer applies. Design your PKI to meet your business goals, and tell your vendors to produce the standards-based products you need. Robert Moskowitz is a senior technical director at ICSA. Send your comments on this column to him at rgm@htt-consult.com.

Ready to take that job and shove it?
Open | Close

Post Your Resume

Employers Area

News & Features

Blogs & Forums

Career Resources

Browse By:
State | City

SPONSOR

RECENT JOB POSTINGS

Featured Jobs:

Boeing seeking Software Engineer 5 in Anaheim, CA

KForce seeking Inside Sales Associate in San Diego, CA

Amalgamated Bank seeking Chief Information Officer in New York, NY

Apollo College seeking Medical Billing and Coding Instructors in Albuquerque, NM

Allstate seeking Exlusive Agent in Las Vegas, NV

For more great jobs, career-related news, features and services, please visit our Career Center.

CAREER NEWS

Federal CTO Sees IT Leading U.S. Out Of Recession

Aneesh Chopra is looking to other CIOs to advise him on fleshing out a more detailed agenda to best serve the president's IT agenda.

IT Spending To Fall By 3.8 Percent

IT spending is expected to decline by 3.8 percent in 2009 according to Gartner.

More articles from our career center


Today's Most Popular Stories • Rolling Review: SOA Appliances • Making The Move To Multicore • Rolling Review: Web 2.0 Tools Demand A Cautious Approach • Rolling Review: Windows Server 2008 Server Core
Today's News Analysis • Amazon EC2 Entices Innovative Uses With Persistent Storage • AIG Private Client Group Diagnoses SOA Glitches With BMC Solution • CA Emphasizes Holistic Enterprise IT Management • Apple Previews Its Next Mac OS 'Snow Leopard'
REPORTS Analyize In-Line NAC strategies and products.	ANALYTICS Plan and design your enterprise blade server deployments

2009 IT Salary Survey: Meager Raises, Solid Prospects

Though raises are notably smaller than a year ago, and job security�s shrinking, IT careers are looking safer than many others in this economic downturn. Get all the findings in InformationWeek's 2009 IT Salary Survey. Available FREE for a limited time.