Bridging The Business-to-Business Authentication Gap
· The need for widespread deployment of smartcard readers based on strong authentication--especially in an age of laptop computing--to guard against a thief or associate assuming false credentials on a hijacked machine;
· The need for products implementing a standard secure transport like IPsec along with the Internet Security Association and Key Management Protocol (ISAKMP)/Oakley or Simple Key Management for IP (SKIP) key management approaches IPsec calls for;
· Domestic and international laws and policies that prevent the export and import of the strong cryptography most users want to use as an underlying component of authentication systems; and
· The need to hide the complexity of public key authentication from netwo
rk users to discourage them from circumventing security policies.
On the plus side, users finally will have freedom of choice in what has been a narrow PK authentication mark
et. Later this quarter, CA products and product/outsourcing packages were shipping, or were expected to ship, from a range of vendors including Bull, Certco (a spin-off of Banker's Trust), Entrust Technologies, GTE, IBM Corp., ICL, Internet Dynamics, Isolation Systems Ltd., Frontier Technologies, Microsoft, Netscape Communications Corp., Newbridge Networks' TimeStep (and partners such as Bechtel's Genuity), Siemens Nixdorf, South Africa's Thawte Consulting, Sun, VeriSign and Xcert (see "Who's Who in the CA Market," on page 72). Sun also says it expects to expand the capabilities of its initial SunScreen-based CA offering.
Certifiably Challenging
Still, for all of these companies and their customers, huge political, legal, philosophical and technological challenges remain. That's not to say security should be ignored becau
se it is imperfect--only that it will take time to perfect. Jamie Lewis, president of The Burton Group, says the establishment of a public key infrastructure (PKI) sits in about the same position as directory services two years ago--and that it will be about three years before the technology is widely deployed. "We're still at the stage of asking, 'What the hell is PKI? and why is it important?'" he says.
One critical roadblock to widespread deployment is the fractured and overlapping nature of security standards and approaches. At the highest levels, coalitions are forming around API sets to resolve the multiple-standard problem by pulling many standards into huge API bear hugs. Among these overarching encryption and authentication frameworks are Microsoft's CryptoAPI, Intel's CDSA (now being refined by Intel, IBM and Netscape within The Open Group) and a yet-to-be announced API set from Sun--which sounds as though it will be broader than either the CryptoAPI or CDSA. Novell, too, hints that it is about t
o deliver its own security/management APIs.
Forrester Research analyst Carl Howe says he considers such multistandard efforts misguided. In security, he says, it's hard to make ch
oices but important to do so, because each API can be thought of as a point of entry--a vulnerability. However, as Milind Khare, Intel's product marketing manager for data security and content management, points out: "It's not APIs that determine vulnerability, it's how the system is designed that determines if you have good security or not."
One thing is clear: If multiple standards are supported, grappling with complexity is unavoidable. For example, the very high-level standards-based Generic Security Services (GSS) API can be situated atop Intel's CDSA, for which Intel has also designed object-based Java hooks for the framework's C-based structure. But because Microsoft's CryptoAPI took the lead and garnered guaranteed support for its products from application developers, Intel is contemplating layering CDSA APIs atop Cryp
toAPI. JavaSoft engineer Marianne Mueller says Intel and RSA have asked her company to define the Java APIs that will work with the CDSA architecture. The JavaSoft Development Kit, set for release this summer, will include its own certificate management APIs, although in May, Mueller said she wasn't sure whether those APIs would match those used for CDSA.
Meanwhile, back at SunSoft, plans proceed for Sun to announce its own API security framework, which may or may not align with CDSA.
Complicating or clarifying emerging API lineups further--depending on your vantage point--are Intel partners and analysts who say Intel has been describing plans to introduce chip-based security. Whether the idea is to provide API support for PKI on the chip or to manufacture encryption-ready chips remains unclear; Intel declines to comment.
|
REPORTS
ANALYTICS
Follow 
