Welcome Guest. | Log In| Register | Membership Benefits

Columnist

January 31, 2000

Printer ready
Printer ready
InternetView:
What Is Public Key Infrastructure?
By Jason Levitt

Jason LevittEmerging Internet technologies are often the most challenging to grasp, and public key infrastructure--technology for establishing a secure method of exchanging information--is one of the most confusing. This was pretty clear from my sampling of attendees at the recent RSA Data Security Conference in San Jose, Calif.

Any confusion is certainly not RSA's fault. The conference had some excellent technical sessions and offered the opportunity to hear a good mix of research, standards, and practical applications of PKI. What became obvious to me, though, after a couple days of these sessions, was that the term public key infrastructure is a moving target.

Just what does PKI mean? Digital certificates? Certificate servers? Directory servers? Cryptographic methods? Security policy? Security management? Without a doubt, PKI encompasses a broad spectrum of technologies with a dizzying array of possible applications.

Paul Van Oorschot, VP of Entrust Technologies Inc., did an excellent job of categorizing PKI technologies in his talk, titled "Apples and Oranges and PKI." He pointed out that there is "not only a lack of consensus of what the term PKI encompasses, but also a failure to realize that there is a lack of consensus."

Everyone thinks they're talking about the same thing when they refer to PKI, but often they're not. Analysts frequently refer to "PKI spending" without explaining the specific technologies to which they're referring. Vendor literature often ignores the complicated issues surrounding key management. Marketing literature is particularly inept when describing PKI technologies, and rarely mentions the spectrum of management and security-policy issues that might have to be addressed by adding PKI technologies to an existing IT infrastructure.

Combine the confusion over PKI definition with the fact that PKI standards are still emerging, and you begin to realize why marketing hype over the technology is rampant but actual implementations are proceeding at a snail's pace. PKI implementations are still largely in the business-to-business sector, and it doesn't look like we'll be seeing any rollouts of digital certificates to public end users in the United States for a while.


Back to the Columnist page
Send Us Your Feedback
Top of the Page