To view the Report card.

In brief, a PKI di stributes certificates that bind an individual to a public key. Access to the certificate is generally fairly open, because the crucial private key portion of the pair is held only by the user, server or process doing the signing and encryption. The X.509 version 3 certificate format is the data structure of choice, and it has massive market momentum behind it. The principal role of the X.509 certificate server is to act as a trusted third party, assisting in the authentication, verification and distribution of public keys.

PKIs may be managed by a commercial entity--such as AT&T, GTE, Thawte, VeriSign or the U.S. Postal Service. Current browsers trust many of these certificate authorities by default; organizations also may prefer to run their own PKI system. As these systems become more sophisticated and are adopted by more applications vendors, the desire to maintain PKI in-house will mount.

When we first discussed plans to review certificate servers, at least a dozen companies had products in the works. Yet by October, only three were w orthy of consideration for PKI in the enterprise: Entrust Technologies' Entrust/WebCA 1.02, Netscape Communications Corp.'s Certificate Server 1.02 and Xcert Software's Sentry CA 1.41--and these three are evaluated in this review. These are the tools that you'd use to build your in-house system, not by public providers like VeriSign.

Overall, we found that Xcert Sentry CA's flexibility, open architecture and rapid adoption of IETF (Internet Engineering Task Force) standards makes it the best strategic choice for PKI in the enterprise. On the other hand, in pure Netscape environments, the Netscape Certificate Server is a fine choice, offering solid distributed administration. If you want a simple, affordable solution for small-scale deployment, Entrust/WebCA may work.

To download an Adobe Acrobat .pdf format version of the Certificate Servers features c harts, click here.