Baltimore's strengths are in its add-on features and certificate life-cycle support. Like Entrust's offering, Managed PKI Service is a centrally managed instance of Baltimore's commercial CA software, with the CA installed on dedicated hardware in Baltimore's secure facility. Baltimore's service -- including which Baltimore PKI applications will be hosted on the customer premises and which will be hosted by Baltimore, defining certificate revocation rules, and deciding how often audit logs are created and sent to a designated administrator -- is customized during the service planning phases.

Baltimore's WebRAO (Registration Authority Operator) interface is limited to a few basic functions regarding certificate issuance, approval and lookup. Managed PKI Service enables multiple certificate policies to be active at any time, meaning we could issue a customized certificate based on the application using it. For example, we might issue a certificate with attributes indicating spending limits or have a certificate profile defined specifically to control access into a Web application. This is one way to tailor certificates to specific users without having to fill in meaningless fields. Certificate policies are built by Baltimore technicians based on customer definitions and pushed out to WebRAO. We had several policies defined for our installation so we could generate certificates for Outlook or Web servers and create new RAOs.

PKI Service Features Click here to enlarge

Baltimore's was also the only service in which we could register users face to face by having WebRAO generate public/private key pairs and the related digital certificates and present them to the user. This capability is useful in authenticating a user in person before issuing a digital certificate. Face-to-face registration is also used for processing PKCS (Public Key Cryptography Standard) #10 certificate requests.

Registering a user is a simple process. We selected the certificate policy we wanted to generate, entered the data and submitted the request. WebRAO generated a public/private key, issued the certificate request, and submitted it to the CA. In a few moments the certificate was ready for download. Once a certificate is downloaded, WebRAO saves it in the PKCS #12 file; that file, along with a password to unlock it, can be given directly to the user. All your registration can be done face to face, provided passwords are distributed separately from the PKCS #12 file.

Baltimore's WebRAO certificate retrieval (screen view) Click here to enlarge

What helps Baltimore also hurts it, however. While Managed PKI Service is flexible, you pay for that flexibility. It's especially important here to go over all the deployment options available during the planning stages. For example, if you want to do bulk enrollment, easily accomplished with Entrust and VeriSign, Baltimore has to deploy -- at a cost -- its ARM (Advanced Registration Module), which can be programmed to pull authorization information from external user databases regardless of where the module is located. It might make more sense to put ARM on the local network, to ensure uptime and accessibility. Conversely, hosting ARM at Baltimore's secure facility means one less server to maintain.

Managed PKI Service. Available: Now. Baltimore Technologies, http://www.baltimore.com

Mike Fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs®; he covers all security-related topics. Prior to joining Network Computing, Mike worked as an independent consultant in central New York. Send your comments on this article to him at mfratto@nwc.com.