A fundamental question is whether to outsource all or some of your PKI. This is a difficult business decision, and once you start down one path it's hard to change course. Why outsource? After all, if you do your homework, deploying a PKI isn't difficult. If you can install an application, you can install a CA (certificate authority). The trick, however, is ensuring the security and integrity of the CA while providing adequate uptime. We say let outsourcers build and support secured facilities complete with redundant network connections and disaster-recovery plans. Then you can spend your time where it counts: creating and instituting certificate policies and applications that rely on your PKI.

Looking Outward

To determine how well an outsourced PKI could perform, we created a simple scenario. Our hypothetical organization supports an initial user base of 1,000 to 5,000 clients on Microsoft Windows NT/2000 and Sun Microsystems Solaris. We specified S/MIME (Secure MIME) using Microsoft Exchange and Outlook, and support for a remote-access VPN using a Check Point Software Technologies' VPN-1 installation. We chose these applications because they are ready to integrate with a PKI. The participating vendors have active partner programs ensuring integration with VPN, e-mail, ERP (enterprise resource planning) and a host of other applications. In addition, each vendor offers APIs so developers can customize applications as needed. You give up a lot of control when you outsource critical services, so we asked vendors to provide auditing information, descriptions of their networks, information on how they will guarantee uptime and a description of development APIs.

Answering our call were Baltimore Technologies, with its Managed PKI Service; Entrust Technologies, with Entrust@YourService; and VeriSign, with its OnSite 4.6 offering. We based our fictitious organization in our Syracuse University Real-World Labs®.

A Big Decision

Outsourcing a PKI is not like hiring an ISP to host a Web site posting the cafeteria menu. Your PKI -- and the individual CA digital certificates and corresponding key pairs -- is your organization's digital identity. Moreover, your PKI is vouching that the certificates it signs are given to the appropriate end users or devices. Digital certificates aren't just for identification and authorization; attributes in the certificates can be used by PKI-aware applications to determine access control and authorization. For example, a bank could use your digital certificate to determine what kind of customer you are and provide differentiated services, or an online order-entry system could use information contained in the certificate to determine your spending limit. As long as the signing CA is trusted, certificates issued by that CA will be trusted as well. Because so much trust, and thus risk, is tied to a CA, you must protect it and the certificates it issues just as you would HR records, existing contracts and other data.

Likewise, the certificates stored on user computers need to be guarded. Using smartcards or requiring that users password-protect digital-certificate stores will provide reasonable protection. Digital certificates issued to Microsoft clients, such as Internet Explorer and Outlook, can carry an attribute requiring the use of a password-protected store.

Managed PKI services remove much of the burden of securing and maintaining a PKI by hosting the server hardware and software in secure, monitored and well-maintained facilities. Procedures are in place for every process the service provider performs, from adding new administrators to generating audit logs, and these processes are audited.

While vendors will claim good practices, you should get copies of their most recent security audits or ask that your auditors be allowed to perform their own audits. We were unable to get SAS-70 audits from VeriSign or Baltimore. (A Statement on Auditing Standards No. 70, or SAS-70, allows an auditing organization to evaluate and state an opinion on a service provider's internal controls. It also provides an audit report that a customer can use during due diligence when evaluating a provider.) VeriSign and Baltimore, sensitive to risk, said the security audits contain confidential information that is disclosed only on a need-to-know basis. Both companies assured us they are SAS-70-certified; Baltimore submitted a summary of a recent audit, which we took on trust, and VeriSign pointed us to its WebTrust audit report.

Entrust@YourService, which is hosted at a FirstData Corp. C2-certified facility, says it is planning to initiate an SAS-70 audit but was unable to give us any details. While we believe the vendors in this review operate in good faith, we wouldn't want to base a customer financial statement audit on assurances.

Service Features

A number of service features -- including supporting simple or complex PKI architectures, extensive preplanning, formalized change requests, service redundancy and customized PKI designs -- are common to all three vendors' offerings. Like nearly all outsourced services, your application goals should drive the end result.

We chose a simple PKI architecture. We had a single subordinate CA, which was signed by one of the root CAs for each respective service. Operationally, we could conduct the review with this simple model. However, for a real deployment, you'll need a multitiered architecture. Your organization's digital identity is tied to your root CA, so if the root CA is compromised, all the certificates it has created must be revoked and replaced. To limit the risk and damage of a compromise, at minimum a two-tier, and ideally a three-tier, PKI should be deployed.

In a two-tier PKI, your root CA issues certificates to its own administrators and any subordinate CAs below it. The subordinate CAs issue user certificates, while the root CA can be kept offline in a locked and monitored room, which should assure security. If a subordinate CA is compromised, only the certificates it has signed need to be replaced. And a multitier PKI can more closely model your organizational requirements -- each major department can run its own CA.

The hosted PKI process begins with a planning phase, where you meet with the service provider to discuss your specific needs, including application support, and develop change-management policies both for the CA service and for locally hosted processes, such as user registration. Enter these meetings with clear objectives and technical knowledge. The more prepared you are, the more productive your planning will be, making it less likely you'll need costly rearchitecting down the road. The vendors' professional services include consulting, ranging from architecture to application development. The key is to make sure the service is developed with your initial goals and future plans in mind.

The planning stage is also when you make decisions about when and how revocation data is published. The vendors whose products we review here support certificate-revocation lists, certificate-revocation distribution points and OCSP (Online Certificate Status Protocol). Entrust's and Baltimore's service offerings let revocation data be published once a certificate is revoked. VeriSign issues revocation data every 24 hours or every hour, depending on the level of service, or immediately when using OCSP. OCSP is only as valuable as certificate revocation is timely.

After planning is complete, your interaction with the service provider will be limited largely to maintaining certificate life cycles. VeriSign offers the widest array of management features, even letting you change certificate elements and service parameters when needed. More extensive changes may or may not be billable, depending on how the service is negotiated. Both Entrust and Baltimore perform on your behalf all service modifications, such as adjusting certificate attributes or customizing the certificate enrollment pages. For the most part, service modifications will take place within a few days; noncritical changes that require CA downtime will take place during scheduled downtime.

All three service providers ensure connectivity and uptime by using multiple links to the Internet and redundant hardware. Entrust@YourService and VeriSign OnSite host multiple customers on a single hardware platform, so the entire platform, including secure key storage, is redundant. Baltimore charges extra for redundant hardware. In addition, all three service providers can create any kind of PKI you require -- from a simple, single CA to a full-blown, three-tiered architecture with multilevel CAs. One major benefit of a hosted PKI is that you spend your time on the important stuff, like architecture and policy, while the service provider does the grunt work of installing and maintaining the PKI. Your point of contact with the PKI involves managing certificates.

You can subordinate your CA to one of the public CAs, leveraging the power of a larger PKI. However, you will have to subordinate your policies under the vendor's PKI policies, because your certificates are ultimately under the authority of the topmost CA. All three vendors also host private PKIs, where you have a self-signed root CA, and the trust stops there. The service provider manages and maintains the infrastructure in its secure facility, but your organization not only is responsible for developing policies regarding certificate life-cycle management but must also distribute your root CA certificate to the users and applications to make use of it.

Take Your Pick

Each provider has strengths and weaknesses. VeriSign's base package offers the most complete management front end and provides plug-ins for common applications in its Go Secure line but lacks some of the advanced features offered by its rivals. Entrust, with its desktop applications, has the best client and certificate life-cycle support, but that adds to both the purchase price and support costs. Baltimore offers a great deal of flexibility with its various modules, but the base offering is not as complete as the other two.

VeriSign took our Editor's Choice award, but each vendor's strengths make its service more compelling in specific applications. You need to do the homework and decide on the best fit for your organization.