 |
|
|
As you can imagine, managing public key pairs for all users in an organisation let alone all users on the Internet poses quite a logistical problem. This is where PKI comes in, providing the framework for key pairs and certificates to be generated and maintained over their life cycle. However, the framework is of little use without applications that take advantage of it. Today�s browsers and e-mail packages are beginning to include the ability to sign, verify, encrypt and decrypt data using digital certificates and associated key pairs which are stored in a �secret store� somewhere on the users local hard disk. In order to support the full key history and automated CRL checking, however, applications need to include much more PKI functionality. This is being implemented via PKI vendor tool kits, and we are beginning to see a new wave of applications which are advertised as �PKI Ready�. Another important question is �how do you find a public key certificate�? Earlier in this report we referred to the requirement to transmit the digital certificate and public key with the message so that the recipient has instant access. Some applications do this automatically � it is a part of the S/MIME standard, for instance. But what happens if you need to communicate securely with someone for whom you have no certificate and who does not know you? Where one of the well-known public CA�s has issued the certificate, life is made easier by the fact that the details are published in a searchable directory. Not every CA is as well known as the likes of VeriSign, however, and not all their directories are searchable by just anybody. Ideally, we need one large �master directory� for all certificates issued by any CA, but this Utopia is a long way from fruition. Only as PKI standards are ratified and compliance becomes widespread will functionality be built into applications. We are in the early stages at the time of writing, and much more work needs to be done to make widespread adoption of PKI a reality. PKI is far from being a "no brainer", and most of the current crop of PKI vendors are to be congratulated on even coming close to providing a shrink-wrapped solution for such a complex requirement. Do any of them meet the high standards set in our Introduction chapter? At the moment, none of them fulfil all our wishes. Entrust and RSA come closest, but they require some form of proprietary client-side software in order to provide full functionality (such as CRL checking and key histories). Both are also rather expensive. One of the new entries to this year�s report, KeyOne from Safelayer, is one of the most flexible products we have seen to date. As well as providing a simple method of extending and amending processes within the PKI, it also offers two distinct models out of the box � both on-line and off-line. Pricing, too, is very attractive. With the release of version 5.0 of its product, however, Entrust has continued to raise the bar for the competition, now providing a zero-footprint Java client for B2B and B2C applications that require secure logon to the PKI without the use of a proprietary client, support for multiple CA�s in a single host, automatic RA capability, and roaming users, amongst other things. CA administration is also much easier. It is interesting to note that other vendors have rapidly followed suit with the zero-footprint client approach, RSA providing similar functionality in Keon 5.7, together with a much more feature rich CA as a result of its acquisition of Xcert International Inc. and the absorption of the Xcert Sentry technology into the Keon product line. Baltimore continues to provide one of the most administrator-friendly (at least at first glance) and cost-effective PKI solutions, though the GUI-based CA administration can cause problems in large deployments with many RA�s, when the screen can become quite cluttered. It also currently falls short of Entrust and RSA in terms of automatic CRL checking, automatic key update, key histories, and so on - it simply cannot offer these facilities without client-side software. Some is appearing, of course, written using vendor tool kits. However, this introduces the thorny issue of standards. If we have a so-called �standard� in terms of X.509v3 certificates, why is it that certificates issued by one CA cannot be recognised by another? Will applications written using one vendor�s tool kit work with another vendor�s CA? It might not be wise to put money on this, although the situation is certainly getting much better now that standards are being ratified and adopted, and has improved dramatically since the first edition of this report was published. Another area that still does not seem to be moving fast enough (this is not the first year we have mentioned this!) is adoption of smartcards. The appearance of smartcard readers on major brands of laptop and desktop PC heralds a new era for authentication at the desktop and on the move, but at what point will they become as ubiquitous as the CD-ROM drive? The smartcard industry also needs to work harder on standards compliance, and on solving some of the thornier issues relating to PKI. For instance, keys generated on a crypto smart card cannot be backed up by the PKI � the card simply will not allow the keys to be exported since it would violate the premise of non-repudiation. However, it introduces an important single point of failure � if a user loses his smartcard, he loses his private keys and his digital identity. Encryption keys can only be backed up when they are generated in software by the PKI solution, and they can then be written to a memory smartcard � but these devices are not ideal in terms of security. For the time being, we are caught between a rock and a hard place here. At the time of writing, the most elegant solution to this problem is offered by RSA Security with Keon Security Server and Keon Desktop. This provides the best compromise between security and portability, especially when combined with the one-time password token system offered by SecurID. It can also be deployed alongside other CA products, but you would need a healthy budget. Which brings us on to the issue of pricing � should you choose a product that licenses by user (unlimited certificates) or by certificate? We have attempted to reduce the often complex pricing models employed by the PKI vendors into some sample prices for a given scenario to provide like-for-like comparisons. However, with all vendors you need to approach them and discuss applications and how the certificates will be used. A product that looks expensive on paper may work out less costly in the long run for a particular application. Likewise, cheapest on paper may not turn out to be cheapest to deploy on a large scale. The price comparisons in this report can only provide a starting point for further discussion, and it is impossible to make firm recommendations based on the figures quoted here. One of the most interesting products from a pricing point of view is undoubtedly the BT TrustWise offering which charges a per certificate license fee on a yearly basis. This means that you never stop paying for the certificates, and the deployment costs can be quite expensive for large numbers. However, this should be balanced against the fact that the �hidden� costs of operating a secure CA facility are removed from the equation altogether. It is also unlikely that most organisations would ever be able to afford to implement a facility as secure as those offered by VeriSign and BT. However, another of the participants in the managed PKI section of the report � De La Rue InterClear � provides a much more flexible outsourced offering at a much more reasonable cost level. De La Rue too removes the responsibility of shouldering the infrastructure burden from the customer, and can provide a rich, fully tailored offering � with a fully customised CPS � that even goes as far as including �white label� certificates in order to protect the customer�s brand. This one is well worth a look for those interested in examining the managed services approach. Things are improving almost on a daily basis in the PKI industry. New releases are appearing ever more regularly from the major vendors, and PKI-aware applications are becoming more common. For the time being, however, it is a case of caveat emptor � make sure you confirm with your PKI suppliers that all the components you wish to deploy will interoperate successfully. Click here to return to the PKI Index Section
|
 |
Send mail to webmaster
with questions or�
|
