home
NEWS       BLOGS       FORUMS       NEWSLETTERS       RESEARCH       EVENTS       DIGITAL LIBRARY       CAREERS  
Network Computing Network Computing Powered by InformationWeek Business Technology Network

IMMERSE YOURSELF:

SOA

  |

Data Center

  |

802.11n

  |

Data Privacy

  |		 APO  |

Virtualization

  |

NAC

  |

Security

  |

Network Mgmt

  |

Enterprise Apps

  |

Storage & Servers











Bridging The Business-to-Business Authentication Gap

Most vendors and users expect PKIX to prevail simply because it's been around longer and is better defined--even though incorporating SPKI/SDSI features might improve it. While the efforts overlap significantly, SPKI/SDSI authors say they will make their work interoperate with PGP and other infrastructures. Carl Ellison, a cryptographer for CyberCash and author of the SPKI/SDSI draft, says SPKI/SDSI will "eventually supplant" X.509 because it isn't being developed for big companies, but for 10-person companies, with free encoding. "This results in shorter development cycles, richer interaction with customers and ultimately something that will go further to improve the large structures being built for large companies," he says. CyberCash plans to lau nch SPKI/SDSI internally this summer.

Warwick Ford, VeriSign's director of advanced technology and co-chair of the PKIX working group, said this spring that attribute exte nsions for privilege-based certificates will inevitably wend their way into PKIX, but he wasn't sure whether they would come from SPKI/SDSI (which puts a high premium on such certificates) or through extensions yet to be fully defined by the ANSI X9 group. Within the IETF, he says, "it would be a good option to merge the SPKI authorization model into PKIX."

Defining Privilege on the Net The notion of associating privileges with certificates should come to the fore over the next year. Vendors may think a simple user ID is important, but many users find that it doesn't go far enough. For example, Cisco and Microsoft employees may need to share resources concerning their ActiveDirectory partnership, while safeguarding others. One way the companies might solve this dilemma is to use DCE's Kerberos authentication.

David Fowler , vice president of sales and marketing at Gradient Technologies, a company that focuses on this market and has partnerships with development-tool companies to Kerberos-enable applications, strongly advises PKI/Kerberos coordination. Extending PKI to address privileges would enhance support for the parameters already extracted for Kerberos certificate attributes, he says. Gradient, which was set to ship its first product by the end of last month, said in June it plans to add support for Entrust-based CAs.

The Open Group is also evaluating whether to extend client/server PKI to its own Kerberos security, though some industry observers remain skeptical that The Open Group can pull off a scalable public key-based Kerberos client-server framework. Still, Kerberos has some major supporters, including Microsoft, which relies on Kerberos as its Windows NT 5 default while also supporting PK technology natively in its NT security architecture. Kerberos has also found its way into SESAME public key products, and SES AME supporters say SESAME elements, in turn, are finding their way into The Open Group public key effort.

Still, it's not easy to find a unifying thread among the syntax and att ributes springing up around privilege-based models, with definitions potentially growing out of ANSI's X9, PKIX, SPKI/SDSI, SESAME, The Open Group/Kerberos, individual product vendors and even users. Gradient Technologies' Fowler wishes the IETF or any strong standards group would assume authority and reconcile the approaches to prevent interoperability problems. Karan Khanna, Microsoft's security product manager, thinks it most likely that an X.509 definition will prevail, but he says the overall state of indecision is obstructing PKI adoption.

Privileges and ID: Two Certs in One? Analysts, users and vendors would also like the IETF to define how privilege and policy attributes, now crammed into certificates, can be secured on Lightweight Directory Access Protocol (LDAP) or other directories. Doug Rosenthal, engineeri ng director at CyberGuard subsidiary TradeWave, expects both PKIX and SPKI/SDSI infrastructures ultimately to offload these descriptions to more easily administered LDAP directories.

The auto industry's Moskowitz deems the combined structure "unacceptable." Not only could you have 200 privileges associated with a certificate, he says, but the system won't scale if the certificate must be revoked and reissued every time a role is changed. Instead, he favors ephemeral, or short-lived, privilege certificates that are tied to the identity certificate.

To see the Side Bar on
Who's Who in the CA market

Glossary
of Certificate Authority terms

Web-Based Management: 9 Products to Help Simplify Your Network
by Dan Backman


Updated July 10, 1997







Ready to take that job and shove it?

Function:

Keyword(s):

State:
SPONSOR
RECENT JOB POSTINGS
CAREER NEWS
10 Search Engines You Don't Know About
Go beyond Google and get vertical. These specialized search sites will help you find the business information you need -- fast.

Yahoo Profits Fall 23%, Cuts 1,000 Jobs
Ari Balogh was named to the post of chief technology officer as the companys for a "realignment" of employees.

More articles from our career center










InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Download Today
 
ROLLING RIGHT ALONG
Follow key Network Computing Reviews from conception to completion. This Week: Holistic APM.



Network Computing Reports Emerging Enterprise Podcast Series: Secrets to Success








TechSearch
Microsite of the Week


Powerful Information at Your Fingertips



InformationWeek Business Technology Network
InformationWeekInformationWeek 500InformationWeek 500 ConferenceInformationWeek AnalyticsInformationWeek CIO
InformationWeek EventsInformationWeek ReportsInformationWeek MagazinebMightyByte and SwitchDark Reading
Digital LibraryIntelligent EnterpriseInternet EvolutionNetwork ComputingNo JitterPlug Into The Cloud
space
Techweb Events Network
InteropVoiceConWeb 2.0 ExpoWeb 2.0 SummitEnterprise 2.0 ConferenceMobile Business ExpoSoftware ConferenceCSI - Computer Security Institute
Black HatGTECEnergy CampMashup CampStartup Camp
space
Light Reading Communications Network
Light ReadingLight Reading EuropeUnstrungLight Reading's Cable Digital NewsConstantinopleInternet EvolutionPyramid Research
Heavy ReadingLight Reading Live!Light Reading InsiderEthernet ExpoOptical ExpoTeleco TVTower Technology Summit
space
Financial Technology Network
Advanced TradingBank Systems & TechnologyInsurance & TechnologyWall Street & TechnologyAccelerating Wall StreetBank Systems & Technology Executive SummitBuyside Trading SummitInsurance & Technology Executive Summit
space
Microsoft Technology Network
MSDN MagazineTechNetThe Architecture Journal
space


App Infrastructure   |   Messaging & Collaboration   |   Network & Systems Mgmt   |   Network Infrastructure   |   Security  |   Storage & Servers   |   Wireless   |   Enterprise Apps
About Us  |  Contact Us  |  Site Map  |  Technology Marketing Solutions  |  Advertising Contacts  |   Briefing Centers
Copyright © 2009  United Business Media LLC  |  Privacy Statement  |  Terms of Service  |  Your California Privacy Rights