PUBLIC KEY INFRASTRUCTURE FOCUS - PKI: all you need to know

John Geralds reports on the latest push for public keyinfrastructure.

Public Key Infrastructure (PKI) is creating a buzz in the IT security market. But while the technology may not yet be ready for prime time, vendors are pushing hard to try and move it into the mainstream.

The major proponents of PKI technology gathered at RSA's recent Data Security Conference in San Jose to promote PKI as the underlying technology for ensuring authentication, privacy and data integrity across many types of applications. They also stressed it can manage certificates issued by PKI Certificate Authorities (CAs), public keys and private keys for use in the enterprise.

RSA, a subsidiary of Security Dynamics, announced it was moving away from its traditional market of licensing encryption technology and providing products such as SecureID tokens. It has just launched Keon Security Server to provide centralised security administration and user management, together with Keon Desktop to encrypt files and provide single sign-on.

The company's senior vice- president of marketing, Scott Schnell, said: "Until today, people have concentrated exclusively on the technical underpinnings of PKI, when it's the application security that is equally, if not more, important."

Netscape and VeriSign also announced at the conference that they have expanded their relationship to enable users of Netscape's Certificate Server to issue and manage digital certificates within the VeriSign Trust Network, a collection of CAs. The aim is to make PKI deployment more practical by giving companies hands-on control of their own CAs.

Dave Wieden, Netscape's vice-president of directory security, claimed: "By using the Netscape Certificate Management System, companies can more easily issue, manage and revoke their own X.509 public-key certificates."

Elsewhere, firewall vendor Check Point Software unveiled a turnkey PKI system for the company's VPN-1 gateway. The company's Certificate Manager for VPN-1 offers an integrated, scalable key management system for IPSec/IKE virtual private networks (VPNs) and a standards-based PKI that it claims is easier to install and administer. It also includes an LDAP repository and a policy-based management architecture.

Also, Entrust Technologies demonstrated how its PKI technology interoperated transparently with Baltimore Technologies' Unicert CA and IBM's PKI Client reference software known as 'Jonah', using PKIX-CMP (Public Key Infrastructure X.509 standard Certificate Management Protocol).

Brian O'Higgins, Entrust's executive VP and chief technology officer, said: "The interoperability achievement represents quantifiable progress of PKIX-CMP and helps eliminate industry-wide barriers to truly interoperable PKI solutions."

Novell rolled out enhancements to its Public Key Infrastructure Services (PKIS) when it introduced NetWare 5. Michael Simpson, a Novell product manager, said PKIS enables customers to issue and manage digital certificates without buying products such as Netscape's Certificate Server or signing up a certificate vendor.

Larry Gauthier of the Burton Group agreed, saying PKI was a natural extension of Novell's directory.

"Novell Directory Services is still a captive directory that stands to benefit from the external capabilities defined by PKI. The technology is going to bring a lot of value to traditional NetWare environments," he said.

NDS' new security capabilities in NetWare 5 also include a cryptographic infrastructure that enables users to access applications worldwide and adapt them to the various encryption laws in different countries.

PKI: THE WAY TO ACHIEVE INTEROPERABILITY

At the RSA conference, PKI (public key infrastructure) technology was aggressively pitched as a much-needed way to reduce the interoperability problems users face with existing security systems. Standards-based PKIs are considered crucial in building corporate and consumer confidence in the security and reliability of internet commerce.

As a result, IBM's Lotus subsidiary has just published a reference implementation of a pending Internet Engineering Taskforce (IETF) standard to enable other software vendors to produce interoperable PKI-compliant products easily and quickly.

The Open Public Key Infrastructure, commonly known as PKIX, defines how products issue, validate, revoke and renew digital certificates, which are used to assure the security of internet transactions and messages.

Phil Schacter, analyst with The Burton Group, said: "Dissension in the PKIX community about the best way to do certain things is likely to present implementation challenges for vendors that may slow widespread use of the technology. We're probably not going to see commercial products until maybe the second half of the year, and those are going to need a while to mature before people will rely on them to do all of their extranet work." But he added: "IBM's implementation will accelerate progress toward getting lots of these (PKIX) implementations from different vendors. This is going to take away roadblocks to widespread PKI adoption, and IBM is probably going to do quite well out of it." Ted Julian, a Forrester Research analyst, believes that the next step will include the introduction of tools that will help IT administrators manage multiple certificates from different PKI vendors in a single infrastructure and provide richer certificate validation and revocation.