A great deal of time and attention has been devoted to heralding the economic potential of the Internet and wireless networks. Public Key Infrastructure (PKI) and the trust it adds will realise that potential.
PKI resolves the fundamental problem of trust in the Internet and wireless networks. Providing strong privacy, authentication, data integrity, and non-repudiation, the PKI fulfils fundamental security requirements.
PKI is more than technology. It`s the set of security services that enable the use of public-key cryptography and certificates in a distributed computing system. For example, PKI products and services allow organisations to establish security domains in which they issue keys and certificates.
Within security domains, PKI enables the use and management of both encryption keys and certificates, providing services such as key management (including key update, recovery, and escrow), certificate management (including generation and revocation), and policy management. PKI products also allow organisations to establish trusted relationships with other security domains, either in a certification hierarchy or through direct cross-certification.
Perhaps the thorniest issue facing all certification systems is the life-cycle management of digital certificates.
Certificate Authorities (CAs) have to provide the current status of any digital certificate they have issued as electronic and mobile commerce will require that certificates be validated each time they are used, just as credit cards are authorised. CAs can validate certificates using certificate revocation lists (CRLs) and online certificate status protocol (OCSP).
Certificate revocation lists are simply lists containing all certificates which are no longer valid. Each CA ideally maintains and updates the list so anyone can check a digital certificate against the list and validate a certificate issued by a CA.
For small-scale applications this works well. But for far-flung Internet commerce transactions, CRLs can quickly scale to an unmanageable size.
The more critical an application`s security requirements are, the more important real-time certificate validation becomes. Delays in updating CRLs in large monetary transactions creates credit risk.
OCSP offers a solution to this problem by providing real-time validation for certificates. But OCSP is an early stage standard. Currently, an IETF working group has defined methods for using OCSP with http. Other protocols, such as ftp or smtp, are currently in discussion. While OCSP does not address all concerns regarding scalability and performance, real-time validation will be indispensable for large-scale business-to-business e-commerce.
SSL VS SET
Capitalising on the enormous opportunity of online commerce remains at the heart of public key applications development. Secure Sockets Layer (SSL), developed by Netscape, was designed to incorporate public key technology into Web browsers and thereby enable secure transactions via the Internet. Another standard, Secure Electronic Transactions (SET), developed jointly by Mastercard and Visa, was designed to use public key encryption technology for credit card-based commerce on the Internet.
SET and SSL are targeted at different applications. SET enables credit card transactions on the Internet by replacing every step in the existing processing system with an electronic version. SSL is designed to secure communications between a browser and a server.
However, most common usage of the Internet today is via browsers, and it has been suggested that SSL used in combination with LDAP can accomplish everything SET can without expensive software infrastructure upgrades. The sluggish market reception to SET may indicate it is too complex and costly for current applications.
And then there`s the issue of standards which will play an important role in establishing interoperability.
Today, standards exist or are emerging in two basic areas. First, RSA`s Public Key Cryptography Standards (PKCS) define many essential PKI components, including digital signatures and certificate request formats. Second, one of the more important standards is the PKIX (Public Key Infrastructure X.509) standard currently being developed by the IETF.
PKIX provides a framework to integrate the various public key tools into a PKI based around X.509 digital certificates. The IETF is also developing an alternate approach, in parallel, known as the Simple Public Key Infrastructure (SPKI). SPKI is focused on delivering services such as privileges rather than a comprehensive PKI.
At the heart of the two standards lies a philosophical debate over how public key technology will be used. Will public key technology be used in a comprehensive architecture or will it be used in a more limited and temporary fashion? Ultimately, the market will decide how it employs the PKI, and the IETF has standards prepared for both scenarios.
The process of sorting out the various proposals has not been completed, and vendor support for them is sometimes inconsistent. In addition, the PKIX specifications will not displace PKCS - the two will coexist and interoperate.
Important questions surrounding PKI - particularly manageability - have yet to be fully answered. Consequently, businesses should carefully choose how, when, and where to implement PKI products.
Share
