PKI: The good, the bad and the ugly


Public-key infrastructure (PKI) is beginning to get a lot of attention. But just how good is this new technology, and what can vendors do to make it better? To find out, Network World recently assembled a who's who of PKI vendors and consultants to kick around the issues. Participants included Vijay Ahuja, a consultant with Ernst & Young; Gina Jorasch, director of evangelism for VeriSign; Michael Rothman, executive vice president of SHYM Technology; Christopher Voice, a product manager for Entrust; Paul Paget Jr., a vice president of CyberTrust, a division of GTE Internetworking; and Andrew Morbitzer, director of marketing at Baltimore, Inc.

What is the state of security today?

VeriSign's Jorasch: I think the state of technology of securities is quite far along; there are plenty of solutions out there that will solve your problem for your intranet, your extranet or electronic commerce. The main issues, right now, are: Is PKI as easy to use as companies would like? Is it as interoperable across all the different application areas as they would like to see?

From a vendor's perspective, we think PKI is ready for prime time, and we see plenty of customers who are having great success adopting PKI and enabling secure commerce and secure extranets. We think the momentum is building for more to do that.

Ernst & Young's Ahuja: From, say, the mid-to-late 1980s to early 1990s, there was this big pressure on developing security inside the network, such as passwords and access control, and I think it went pretty well. But there was this constant, lingering struggle for the security manager to justify the importance to the financial officers and the CEO. It was almost like it was an expense site investment with no returns.

Today I think the technologies are really great. And what we need is to provide complete solutions. To me, a complete solution is that if I'm an end user or I'm a client application, I should have all the security services in a way that they are hidden from me, that I do not have to know them, but they provide me complete security.

Baltimore's Morbitzer: When I'm in meetings, for the last six or eight months, I'm not just dealing with the technology person. I'm in there now with a business operations owner, a business applications owner or a business services owner, who's saying to me: 'Show me the business case.'

VeriSign's Jorasch: We have a customer who I think illustrates the change, in that their business unit actually had bonuses that were tied to whether or not they got this security extranet out within a particular time frame, which they did, which we were pleased to see. But it just shows how much more the value proposition is driving the extranet, how much more it is mission-critical and tied to the core business. This was a marketing group that had revenue riding on getting this extranet out, and I think that is new for security. It used to be infrastructure, it used to be boring, and now people's jobs are on the line to get things out there, to be competitive and to beat their competitors in the marketplace.

Ernst & Young's Ahuja: Let me bring to the surface some of the issues I think we are facing with this technology. One of them is completeness of the solution. In the particular case of digital certificates, we have the vendors creating the digital certificates, but it's almost like going and telling a chief information officer, 'Hey, listen, you've got to spend the money, but I can't tell you, in your language, what I'll do with diigital certificates because I can't relate with you. Here are digital certificates but, by the way, to do security means you've got to do another three things.'

Do we have complete turnkey solutions, so customers will feel comfortable that they're not tied down with a certain vendor?

Baltimore's Morbitzer: I think we've got something, particularly in terms of PKI, that this group seems to be very supportive of. We've talked about open standards and IT for a very long time, and a ton of them have fallen on their face. We can go across mail initiatives, X.400, we can go across directory initiatives -- all sorts of things that you look at are falling apart. And yet we're finding open standards working here.

We actually can look at applications that sit on the client and applications that sit in the server. We can test, literally in a matter of minutes, over the Internet to make sure that a server that customers want to use, a client they want to use, can work with our PKI.

So where do we stand with compatibility?

SHYM's Rothman: Let's use PKIX as an example. There are two variants of PKIX.

The way Entrust implements X.509 V3 is different than the way VeriSign implements X.509 V3. So what we've done is we've standardized terminology. We have not standardized technology.

I'm not disputing the fact that people are trying. But I see standards as a tool that vendors use time and time again as a base platform, and then they differentiate the hell out of them to try and gain a leg up in the market.

Entrust's Voice: Standards don't mean bubkes unless there's testing behind them. We have a very big advantage in that we have a common forum that most of us are turning to, which is PKIX, to provide testing. And sure, we're going to have variations, but that's always going to be the case. We need to get these things together and test, that's the only way we're going to solve interoperability problems. But I'm not sure we're that far apart. I mean, I'm sure there are different flavors, and ultimately we'll have to support a couple of different flavors.

Ernst & Young's Ahuja: Well, it's probably OK, but let me just put something in front of you. I'm a customer, I buy one of the PKI solutions, and I write my applications to use the certificates. Three months later I change to another vendor. You think I'll be able to do it without telling my applications developers?

Baltimore's Morbitzer: I think you can build applications today that move between vendors, and I'll tell you, some people have done it. Outlook Express works with all our products. Netscape Communicator works with all our products. And there is a tool kit that Baltimore sells, for example, called PKI Plus. Something written with that works great with VeriSign. And we've had people use that took kit who never buy our PKI, and they run it with all the different flavors of PKI that are in the room.

Now you can go further, and you can certainly customize, which is what gives all the different vendors a competitive edge as we come out with new releases of products. But depending on what you do, you can write PKI-neutral applications.

Ernst & Young's Ahuja: Yeah, I guess I'll give you that in some cases you are able to do it.

We all know that there is not full interoperability. Do the formats match? Suppose Entrust has a product, and I'll name one, let's say Express or whatever. Could I use VeriSign certificates to run that application?

VeriSign's Jorasch: Absolutely, you can do that.

How is the security threat changing?

Entrust's Voice: Our customers' statistics are showing that the biggest threat is coming from inside, where hackers can do a lot more damage. They have access to more high-value transactions and operations.

With the hackers, it's definitely a great public relations thing for us all. Theree's the image of the guy in the black cape and stuff, but the reality is that most of the threat from these guys is coming from inside.

VeriSign's Jorasch: And there's a whole other threat, which is the denial-of-service threat. As you depend more and more on your extranet and e-commerce, you want to make sure you can guard against that sort of threat as well.

Baltimore's Morbitzer: Identification is something we've all talked about -- proofing the individual or the services getting a certificate. That's old news. Moving forward, we will be starting to offer options, in addition to what you're doing with certificates today. These will protect your applications and your business data [and are what Icall] attribute certificates.

The idea is to start using certificates, even down to your devices. How many of us here have 10 devices that we could easily name that could use a certificate to enable something that we do? So there are actually going to be more devices that pick up the service than individuals. At some point in the 18- to 24-month future, that's where the turn will happen.

VeriSign's Jorasch: I think another big change that we're going to see in security is the real-time nature of security. When it is just internal, somebody gets fired, you've got maybe a couple of hours, maybe a day, whatever it is, where you can alleviate that security threat.

SHYM's Rothman: Everybody's looking at it wrong. Let me push that one step further. I don't think there's an inside or an outside three years from now. There's no intranet or extranet or big 'I' Internet, over time. There is just the interconnected network, whether it's based upon a web of trust or something. Because when you think about the applications that customers want to put in place, they can't do this artificial separation of, 'Let me take a subset of my data and set it out in this mythological extranet,' and that's stuff that I feel comfortable that could possibly be compromised.

In order to move to a real-time world where you've got real-time optimized supply chains, the true virtual organization, the only way that works is if you're dealing off one centralized point of data for every specific businesses out there. You can't play favorites between an internal person on the shop floor vs. a trading partner or a retail partner that's worried about where their palette of Pampers are.

The point is, we've got to build an infrastructure that may be put in place because of an extranet requirement. But if this does not map as cleanly and to the big "I" Internet from an application perspective, all of this stuff is for naught. o

ITWorld DealPost: The best in tech deals and discounts.