Network Computing

IMMERSE YOURSELF:

Managing Digital Keys

By David Willis and Greg Shipley By now, you're probably as sick of reading about IP application security and the importance of cryptography and digital keys as you are of hearing "Chestnuts roasting on an open fire�" The mainstream press runs headlines about it, the government tries to control it, and software manufacturers and free speech advocates fight to expand it. Despite attention that Santa himself would covet, however, the most important enterprise security issue remains as obscure as a snowy Christmas Eve without Rudolph's illuminating nose: How does an organization manage it?

To view the Report card.
Much of the attention swirling around IP security centers on PKI (public key infrastructure), which can appear as complex and confusing as the parking lot at a busy suburban shopping mall filled with holiday bargain-hunters. Rather than rehash the technology, we decided to get our hands on the products that build PKI in the enterprise. But first, a word of warning: We assume you understand the basics of public and private key cryptography, X.509 certificates and standards such as S/MIME (Secure Multipurpose Internet Mail Extensions) and Secure Sockets Layer (SSL). If you're not completely comfortable with these subjects, please review our earlier articles on these topics before you dive into this one (see "Bridging the Business-to-Business Authentication Gap," July 15, page 62, and "Certificate Authorities: How Valuable Are They?" at www.NetworkComputing.com/806/806f1.html).

In brief, a PKI di stributes certificates that bind an individual to a public key. Access to the certificate is generally fairly open, because the crucial private key portion of the pair is held only by the user, server or process doing the signing and encryption. The X.509 version 3 certificate format is the data structure of choice, and it has massive market momentum behind it. The principal role of the X.509 certificate server is to act as a trusted third party, assisting in the authentication, verification and distribution of public keys.

PKIs may be managed by a commercial entity--such as AT&T, GTE, Thawte, VeriSign or the U.S. Postal Service. Current browsers trust many of these certificate authorities by default; organizations also may prefer to run their own PKI system. As these systems become more sophisticated and are adopted by more applications vendors, the desire to maintain PKI in-house will mount.

When we first discussed plans to review certificate servers, at least a dozen companies had products in the works. Yet by October, only three were w orthy of consideration for PKI in the enterprise: Entrust Technologies' Entrust/WebCA 1.02, Netscape Communications Corp.'s Certificate Server 1.02 and Xcert Software's Sentry CA 1.41--and these three are evaluated in this review. These are the tools that you'd use to build your in-house system, not by public providers like VeriSign.

Overall, we found that Xcert Sentry CA's flexibility, open architecture and rapid adoption of IETF (Internet Engineering Task Force) standards makes it the best strategic choice for PKI in the enterprise. On the other hand, in pure Netscape environments, the Netscape Certificate Server is a fine choice, offering solid distributed administration. If you want a simple, affordable solution for small-scale deployment, Entrust/WebCA may work.

To download an Adobe Acrobat .pdf format version of the Certificate Servers features c harts, click here.