Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up
Security
F E A T U R E  
In PKI We Trust?

  September 3, 2001
  By Mike Fratto



Baltimore Technologies Managed PKI Service

Baltimore's strengths are in its add-on features and certificate life-cycle support. Like Entrust's offering, Managed PKI Service is a centrally managed instance of Baltimore's commercial CA software, with the CA installed on dedicated hardware in Baltimore's secure facility. Baltimore's service -- including which Baltimore PKI applications will be hosted on the customer premises and which will be hosted by Baltimore, defining certificate revocation rules, and deciding how often audit logs are created and sent to a designated administrator -- is customized during the service planning phases.

Baltimore's WebRAO (Registration Authority Operator) interface is limited to a few basic functions regarding certificate issuance, approval and lookup. Managed PKI Service enables multiple certificate policies to be active at any time, meaning we could issue a customized certificate based on the application using it. For example, we might issue a certificate with attributes indicating spending limits or have a certificate profile defined specifically to control access into a Web application. This is one way to tailor certificates to specific users without having to fill in meaningless fields. Certificate policies are built by Baltimore technicians based on customer definitions and pushed out to WebRAO. We had several policies defined for our installation so we could generate certificates for Outlook or Web servers and create new RAOs.



PKI Service Features

Click here to enlarge

Baltimore's was also the only service in which we could register users face to face by having WebRAO generate public/private key pairs and the related digital certificates and present them to the user. This capability is useful in authenticating a user in person before issuing a digital certificate. Face-to-face registration is also used for processing PKCS (Public Key Cryptography Standard) #10 certificate requests.

Registering a user is a simple process. We selected the certificate policy we wanted to generate, entered the data and submitted the request. WebRAO generated a public/private key, issued the certificate request, and submitted it to the CA. In a few moments the certificate was ready for download. Once a certificate is downloaded, WebRAO saves it in the PKCS #12 file; that file, along with a password to unlock it, can be given directly to the user. All your registration can be done face to face, provided passwords are distributed separately from the PKCS #12 file.



Baltimore's WebRAO certificate retrieval (screen view)

Click here to enlarge

What helps Baltimore also hurts it, however. While Managed PKI Service is flexible, you pay for that flexibility. It's especially important here to go over all the deployment options available during the planning stages. For example, if you want to do bulk enrollment, easily accomplished with Entrust and VeriSign, Baltimore has to deploy -- at a cost -- its ARM (Advanced Registration Module), which can be programmed to pull authorization information from external user databases regardless of where the module is located. It might make more sense to put ARM on the local network, to ensure uptime and accessibility. Conversely, hosting ARM at Baltimore's secure facility means one less server to maintain.

Managed PKI Service. Available: Now. Baltimore Technologies, http://www.baltimore.com


Mike Fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs®; he covers all security-related topics. Prior to joining Network Computing, Mike worked as an independent consultant in central New York. Send your comments on this article to him at mfratto@nwc.com.


   Page: 1 | 2 | 3 | 4 | 5 | 6 | Next Page

Research and Reports

Hypervisor Derby
August 2011

Network Computing: August 2011

TechWeb Careers