InformationWeek
Defining The Business Value Of Technology
June 14, 1999
 Print this story |
continued...page 2 of 3
| Related links: |
|
To view a PDF file, you must first have the Adobe Acrobat Reader. |
| And from our sister publications: |
|
|
Similarly, a digital certificate is issued by a trusted authority, called the certificate authority. It has an expiration date, can be renewed, revoked, or reinstated if lost, and uses public-key cryptographic techniques to avoid forgery. (For more information on certificates and public-key cryptographic techniques, see "The Keys To Security," InformationWeek, Aug. 31, 1998).
In the real world, the Motor Vehicle Department provides a straightforward infrastructure to issue and manage driver's licenses. In the virtual computer world, though, the PKI necessary to manage certificates may vary from business to business. It can be very complex, involving a hierarchy of distributed certificate authorities and large directory servers, and require custom client-application modifications in order to implement. Or it can be relatively straight- forward by outsourcing the certificate issuing and management to companies such as VeriSign or GTE Cybertrust, and implementing only limited authentication and encryption service for, say, just E-mail and Web-browser applications.
A company considering implementation of an enterprisewide PKI will typically implement at least two basic components: a certificate authority for authenticating and possibly issuing certificates, and a certificate repository for certificate storage and management. A certificate authority is usually called a certificate server, and the certificate repository is usually a directory server.
Directory servers are used to store user information and associated security credentials such as certificates, so one of the big tasks for enterprises moving to PKI is to migrate user information (including users' certificates) to directory servers so that security management can be centralized. Major directory-server vendors are launching PKI products. Netscape's Certificate Management System 4.0, which rides on top of Netscape Directory Server 4.0, should be shipping by the end of this month.
Meanwhile, Novell Directory Services version 8 is shipping now, but a user PKI add-on isn't expected until the fall. Microsoft has bundled its new Active Directory and Certificate Server in Windows 2000 Server, which is expected to ship in October. Microsoft has also implemented version 5 of the Kerberos protocol in Windows 2000 to increase the performance of public-key authentication.
Setting up a machine to be the certificate authority and populating a directory server with users' security data is the server side of PKI, but to make use of PKI, applications must know how to access these servers to authenticate users and decrypt data.
While newer applications, such as Internet Explorer 5.0, come PKI-aware out of the box, most applications don't automatically use PKI. Applications can be PKI-enabled using third-party toolkits from companies such Baltimore Technologies, Entrust Technologies, and Xcert International.
Secure E-mail is typical of the way desktop applications interact with PKI. Security must be enforced the moment the message leaves the sender's E-mail program until it arrives at the receiver's E-mail program. S/MIME (Secure Multipurpose Internet Mail Exchange) is the de facto standard for secure E-mail, and it's supported by the latest versions of Microsoft Outlook and Netscape Messenger. Microsoft E-mail shops can implement secure E-mail using S/MIME by using Exchange Server 5.5 with Service Pack 1 and the Microsoft Certificate Server. In this case, Exchange Server acts as the user directory service.
Online Banking
Overall, business-to-consumer E-commerce isn't one of the most important areas for PKI. Especially for E-commerce Web sites, user-name and password protection combined with credit cards is relatively easy to implement and scales reasonably well. But online banking is an area in which PKI can have rewards, especially when moving customers into other areas, such as online brokerage services. Here, the strong authentication and data encryption services make it safer to offer access to internal banking infrastructure. For Scotia Online, part of the Bank of Nova Scotia, implementation of its online banking system wasn't easy, but the results were satisfying. "The major difficulties we faced were being able to find enough knowledgeable human resources, and having to deal with the immature supporting technologies--operating systems, browsers, and firewalls," says Drew Brown, senior VP for commercial electronic banking.
Designed for consumer and small-business customers to access online banking and discount brokerage services, Scotia Online lets customers move money between accounts and pay bills, as well as handle brokerage services. It uses ICL's X.500 directory server running under HP/UX to handle 95,000 active users, with 250,000 certificates deployed. "As far as we know, we're the largest commercial PKI implementation in the world in terms of number of managed certificates," says Brown.
continued...page 3
return to page 1
Back to Labs
Send Us Your Feedback
Top of the Page
Featured Microsite
