Forward: Simplifying PKI and PMI configuration

Maybe interesting for some members of the mailing lists

---------- Forwarded Message ----------
Date: Freitag, 2. November 2001 03:07 -0800
From: Java_Security@itw.itworld.com
Subject: Simplifying PKI and PMI configuration

JAVA SECURITY --- November 02, 2001
Published by ITworld.com -- changing the way you view IT
http://www.itworld.com/newsletters

Simplification, not XML, is the Key to PKI Success
By James Kobielus

In this mean season, it's sad to see our fondest e-business visions
become stale jokes.

Take public-key infrastructure (PKI) technologies. More specifically,
let's take another look at yesteryear's promise of interoperable,
multivendor PKIs as a universal trust and security environment for e-
business. Sure, we have PKI standards galore, and many innovative PKI
products and services. So why has the mass market for PKI-enabled
products never taken off?

PKI's shortcomings are no secret to anyone who has tried to make it all
work together. Chief among them is its complexity: PKI must be greatly
simplified to achieve any degree of universality. In particular,
traditional PKI requires too much application preconfiguration at
browsers, e-mail clients and other desktop applications.

To its credit, the PKI industry is working to simplify its technical
approaches. PKI vendors are developing new architectures that take much
of the processing load off the overburdened client and delegate it back
to the server-side infrastructure. Chief among these are the XML Key
Management Specification (XKMS), and the equally XML-based Security
Assertions Markup Language (SAML), a permission management
infrastructure (PMI) standard being developed under the auspices of the
Organization for the Advancement of Structured Information Standards
(OASIS). Industry standards groups are also debating the merits of
proposed PMI interoperability specifications such as the XML Access
Control Markup Language (XACML).

Unfortunately, these budding, young security standards, in spite of all
their promise, may not make e-business trust infrastructures less
complex to deploy and manage. If we're not careful, we'll simply be
exchanging one complex trust environment (traditional PKI and PMI) for
another (XML-enabled PKI and PMI) at the client and server levels.

At the client level, XKMS -- the most important of the emerging but
still unfinished standards -- will let applications delegate the
retrieval, parsing and validation of X.509 digital certificates to
trusted servers, thereby reducing the PKI-enabled business logic that
must be installed on clients. However, XKMS will require retrofitting
clients to support new standards such as Simple Object Access Protocol
(SOAP) and Web Services Description Language.

Adding to the potential for complexity, XKMS and SAML, if implemented
together, will expand the range of trust servers that must
interoperate. XKMS defines two principal new infrastructure components,
Registration Servers and Assertion Servers, which support all
traditional PKI functions but do so through exchange of standardized
XML-based messages. Likewise, the SAML framework will enable standards-
based authentication and authorization through XML messaging among such
new infrastructure components as Authentication, Session and Attribute
Authorities.

Ratcheting the complexities up further, the proposed XML standards
won't necessarily blow traditional PKI and PMI architectures out of the
water. It's very likely that the XKMS and SAML worlds will need to
interoperate with legacy PKI and PMI infrastructures through adapters
and gateways for such purposes as registering and validating X.509
public-key certificates.

The new XML-based security standards are on the right track. It's a
given that XML-based application-to-application messaging andd
digitally signed trust assertions will be important features of next-
generation PKI and PMI environments. But the standards development
efforts among XKMS, SAML and other leading initiatives have not been
well-coordinated. The industry should, above all else, consolidate
development of XML PKI and PMI standards under a single organizational
umbrella, rather than continue to triangulate among the Internet
Engineering Task Force, World Wide Web Consortium and OASIS. We also
need stable, open source reference implementations of these next-
generation PKI and PMI standards to jump-start widespread
implementation and interoperability.

Most important, we need radical simplicity of PKI and PMI configuration
at the client level. This stuff has to be cheap and easy to set up and
manage on the desktop, laptop and palmtop. Otherwise, it won't succeed
in the mass market. We've seen too many 1990s visions stumble on the
doorstep to the new millennium.


About the author(s)
-------------------
James Kobielus is an analyst with The Burton Group, an IT advisory
service that provides in-depth technology analysis for network
planners. He can be reached at jkobielus@tbg.com.

Received on Friday, 2 November 2001 17:02:28 UTC