Network Computingwww.networkcomputing.com

A PKI is a set of servers, CAs (certificate authorities), RAs (registration authorities), directories and applications that lets organizations model trust electronically. A PKI can be used for simple applications, like user authentication and VPN, and for complex e-commerce authorization and access control.

A few brave companies are embracing PKI in a big way. Amazon.com has declared Entrust Technologies its vendor of choice. Xcert International recently announced a whopping 8-million-certificate CA for a large medical consortium, and Baltimore Technologies is busy forging alliances and swallowing GTE CyberTrust. That's a whole lotta shaking going on. In reality, implementing a PKI is a costly endeavor that spans equipment and software purchases, providing a secure environment, developing and integrating applications to leverage the PKI, and supplying end users with digital certificates.

We invited Baltimore Technologies, Entrust Technologies, RSA Security and Xcert International to a comparative review of PKI offerings. RSA declined because it was upgrading its PKI system and couldn't submit a stable product in time for our tests.

We examined a number of features that help install and manage a PKI. With each product we built both peer-to-peer and hierarchical PKIs, installed each component on a separate platform, customized user roles for managing the PKI, created customized certificates and enrollment forms and enabled bulk user management.

We found that each product's approach to building a PKI has significant pluses and minuses. For example, the default installation of Xcert's Sentry CA 4.0 is bare-bones, but it is also heavily customizable, using HTML templates and XParse scripting language. Entrust/PKI 5.0 comes with a more completely configured management system than that found in Baltimore's or Xcert's package but often requires editing text files to add enrollment fields. Baltimore's UniCERT 3.1.1 offers the easiest enrollment customization process of all, but its modular approach to PKI services requires some extra planning when rolling out the PKI.

Although it is possible to install and manage your own PKI, you can bet you'll have to rely heavily on consultants and developers during your rollout. Designing and implementing a PKI is a complex task, and if it's done incorrectly, it will be difficult to change in the future. Development tools and support services are two key areas we could not examine, because each organization's installation is so different that comparisons are all but meaningless. Your best bet in evaluating these areas is to get referrals to companies installing similar applications and to research the strategic partnerships with the applications you plan to install.

Cost is another determinant when you're choosing a PKI package. The vendors offered prices for the basic components, and while Entrust's and Xcert's packages were relatively close in price, Baltimore's UniCERT has a whopping $60,000 base price. Those figures will get you started, but add in the cost for users and the prices rise further. Only Entrust, which tends to get beat up over its pricing, had the courage to offer per-user pricing for Web user certificates (see pricing chart). Both Baltimore and Xcert told us you can contact them directly about per-user licensing. You're on your own.

Key Features

As with any large-scale application, naming the "best" product overall is often not very useful because one organization's specific needs may differ from others'. For example, providing certificate life-cycle management requires robust client applications, such as those provided by Entrust/PKI, while robust Web-based applications using generic browsers might be more well-served by either Sentry or UniCERT. However, we considered a number of issues when determining the Editor's Choice for a PKI solution: configuration, customization, and both role-based and user management.

PKI configuration included adding and removing RAs and other components, joining CAs, and chaining directories. For example, adding a CA to a PKI involves chaining the directories first and setting the appropriate ACLs (access control lists) on each directory. Alternatively, all CAs can publish to the same directory.

Of course, simply adding components is one task. PKIs can also be joined, and here we found a surprising difference among the products. Entrust/PKI supports both peer-to-peer and hierarchical organizations; however, hierarchical Entrust/PKI can be joined only at the root CA. Both Baltimore's and Xcert's PKIs can join at any point. While it is prudent to join PKIs only at the root CA--from which trust flows downward--organizations may need to join PKIs at departmental levels, such as for subordinate CAs assigned to purchasing departments.

Each PKI package installs with templates for certificates and enrollment. However, we wanted to add specific attributes to the certificates and require that certain information be collected at enrollment time and stored in the directory but not in the certificate. For example, employee ID numbers, internal-access controls and human-resources information may need to be collected. Because of privacy issues, however, they should not be publicly available. UniCERT makes such customization a snap through a drag-and-drop GUI that we found very easy to use. We had to use text files to perform the same tasks with Entrust/PKI and Sentry. While creating certificate templates is not a daily task, editing text files is error-prone even for seasoned administrators.

PKI, like any large-scale management system, requires strong role-based management features, because to secure management processes effectively, you want to limit the scope of changes one person can make while letting an auditing body watch the managers. Again, Entrust/PKI has an excellent, easily customized role-based management system. Similar role-based management can be built in Sentry with ACLs, but it too is more prone to errors, because unlike Entrust/PKI it doesn't check dependencies.

Foremost, PKIs provide users with digital certificates; thus, the user-management features often play a key role. When we tested user management, we examined the ways users could be added, modified and revoked, both singly and in bulk. Such wholesale changes, which should occur infrequently, can save hundreds of hours of work. Bulk management is key for enterprise installations, though it may not be as important for e-commerce applications, such as online shopping, because users are typically added as they register. Baltimore and Entrust show their experience in this area, with their fully scriptable bulk-management systems. Xcert's package can do bulk operations as well, but these are custom applications developed by the company's professional services division.

After we loaded 500,000 certificates, and configured and reconfigured our PKI, we named Entrust/PKI the Editor's Choice for its excellent management capabilities, and bulk-management and customization features. Xcert's Sentry finishes a close second, with some impressive features, such as supporting multiple CAs on one platform and excellent customization via HTML and XParse. Baltimore's UniCERT also has some useful features, including GUI management and enrollment forms; however, a CA that doesn't come with a database or a directory just doesn't cut it for us.