Digital certificates and PKI have made a comeback

March 14, 2007

After all, implementing PKI was no small task. After the crash and burn following many multi-million dollar PKI projects in the late 1990s, PKI lost favor for many years. But these infrastructures never went away, and in recent years it seems they're quietly making good on at least some of the promises made during the early stages of the hype.

"It did go through a period where it was almost like a four letter word," says Sharon Boeyen, principal of advanced security for Addison, Texas-based Entrust Technologies. "Now if you say PKI you're not frowned upon. I don't think we're hearing anywhere near as much of the negativity that there was a couple of years ago."

However, the core technology surrounding digital certificates and public keys hasn't changed much in the last couple of years. So what gives? Experts believe that the renaissance in PKI stems from a better understanding of how to deploy and manage certificates while at the same time limiting the scope of individual projects.

"I would say PKI is on sort of a second honeymoon with the industry," says R. ‘Doc' Vaidhyanathan, vice president of product management at Arcot Systems, Sunnyvale, Calif. "It's a lot more muted, but it's certainly another honeymoon. About 10 years ago, everyone thought PKI was of age and spent millions of dollars building up a huge PKI infrastructure — and most of them never got deployed because of the complexity involved. I think the second time around people are coming at it with more caution. They're also trying to bring less grandiose approaches to PKI."

While Roger Sullivan, vice president of business development for Oracle's identity management solutions, agrees with Vaidhyanathan that certificates and PKI are no longer on the outs, he says he wouldn't go quite so far in describing it as a honeymoon. Most analysts would probably concur. Recent reports about certificates management offer guarded optimism. According to Gartner, the niche will likely grow to a $1 billion industry by 2010, but that is a relatively small figure considering the size of the overall security market.

"I don't know that I would call it a honeymoon," says Sullivan. "Perhaps a second date after the first one went horribly awry."

The reason the industry is even able to give digital certificates a second chance was that there was never anything wrong with the technology in the first place, he says. The problem was that expectations were just set too high in the beginning.

"There was so little experience in what it actually meant to issue these, and what business practices were required to have a digital certificate. Expectations were set falsely high by many vendors," he says. "Consequently, the customers who purchased these things and tried to deploy them were left holding the bag saying, ‘Golly, I spent millions of dollars on these certificates, they're all sitting in boxes on the shelves — metaphorically speaking — and I'm not getting any value out of this. So what the heck did I do this for?' So that put the brakes on the industry very quickly in the late 1990s."

He explains that these failed implementations didn't undermine the inherent value of PKI, they just never fully addressed the challenges of the infrastructure. As he sees it, there are three major stumbling blocks to deployment: the cost of the certificates themselves, the complexity of administration, and finding a business rationale for deployment.

While the cost of the certificates remains about the same, successful implementations work today because they are able to address the other two challenges so much better than in the past, he says.

One of the problems PKI had during the first go-round was that there was too much touch required by the end-user. Experts believe that a big factor that lead to acceptance of PKI is that over the past several years, certificate and key management solutions have excelled at creating situations that require zero user interaction.

"People are deploying PKI, and users don't really even know that that is what is happening," Boeyen says. "More deployment is happening, but it is truly transparent to the end-user, as it should be."

Businesses have also been able to simplify deployment as those involved realized that they didn't have to spend a lot of time building out sophisticated infrastructures right away.

"In terms of the way companies roll them out, the process has been evolving," says Paul Kocher, president of Cryptography Research, San Francisco.

This has been made possible as specialty PKI vendors and even larger software vendors, such as Microsoft, have created software and services to make it easier to deploy infrastructures. In fact, Microsoft is just getting ready to release Certificate Lifecycle Management in the early part of 2007. Some believe that digital certificates will become easier to handle as certificate management becomes more embedded into hardware.

"PKI is getting embedded under the hood in just about every place you can imagine," Kocher says. "The trend is to embed it as a feature into something that people don't necessarily pay for. Instead, they just get it."

A shining example of this is found in the Trusted Platform Module chips that are routinely built into almost all of today's motherboards, says Steven Sprague, president and ceo of Wave Systems, a Lee, Mass.-based leader in computing applications and services.

"I can contain hundreds of certificates inside that Trusted Platform Module," he says.

While simplification of certificate management has been critical to the PKI renaissance, Oracle's Sullivan believes that success has also been bred by limiting the scope of projects. "Perhaps most importantly, we have become much more clear as business people as to what kinds of transactions require certificates and what kinds of transactions do not," he says. "And simply by making that delineation, we're able to more effectively and efficiently deploy certificates. Not everybody needs an armored car, but when you need it, you really want it to be there."

Boeyen agrees that today's enterprise doesn't seek out digital certificates just because they'll feel good to have. Instead, businesses are letting the needs of the business drive adoption.

"People are not deploying PKI for the sake of deploying PKI, or for the sake of deploying an infrastructure," she says. "They're deploying it to meet a particular business need that they actually have. So they start with a particular application and then it can grow beyond that."

 

SSL CERTIFICATES:
CA Browser Forum

One of the most stable and proven forms of digital certificates rolled out over the years are SSL certificates for web transactions. However, SSL has suffered from a bit of stagnation since hitting the market full force in the mid-1990s, says Spiros Theodossiou, senior product manager for VeriSign, who explains that the newly released Extended Validation SSL (EV SSL) is an answer to this problem.

"Over the past 10 years, SSL has been a little bit stale," he says. "When SSL certificates first came out there was really just the yellow padlock in the bottom right hand side of the browsers. Then about five years ago some competitors came out into the market where instead of doing rigorous authentication of certificates they were just really doing domain authentication — verifying that the owner owns the domain."

As a result, Theodossiou explains, the trustworthiness of SSL was diluted. When this issue is combined with clever attacks from phishers looking to fool consumers, he said it became clear that the certificate authorities needed to work with browser vendors to improve SSL technology.

To solve the problem, 15 certificate authorities and four browser vendors have been working together under the auspices of the CA Browser Forum. The culmination of their work over the past two years occurred in January when EV SSL was enabled within Internet Explorer 7. Most evident among the improvements for consumer are the browser address bar colors — the bar turns green when a site has an EV SSL certificate in place.

Though the new technology's evangelists claim that EV SSL trust anchors are more distinguishable from normal SSL indicators and less vulnerable to attacks, researchers from Stanford University have already published research to the contrary. In a recent paper on EV SSL and picture-in-picture attacks, Collin Jackson, Daniel Simon, Desney Tan and Adam Barth wrote that out of 27 users, only three were able to consistently pick out all three fraudulent picture-in-picture sites attacking EV SSL technology that were used in their study.

Other critics of EV SSL have attacked the new certificate technology due to its inability to validate small businesses. The CA Browser Forum excluded sole proprietors from EV SSLs because members couldn't agree on a way to effectively validate them. As a result, EV SSL is only for corporations. With more than 20.6 million sole proprietorships and general partnerships in the U.S., that is a lot of businesses left out in the cold.

"Of course, if a merchant's bar doesn't turn green it doesn't mean that they're bad. It'll be white, which indicates ‘no information.' But small businesses are worried that customers will be afraid to buy from non-green sites," wrote Bruce Schneier, CTO of BT Counterpane, in a recent blog entry on the topic. "That's possible, but it's more likely that users will learn that the marker isn't reliable and start to ignore it."

— Ericka Chickowski

 

DIGITAL CERTIFICATES
Three Considerations

There are three major considerations to think about when deploying digital certificate infrastructure and management solutions.

1. Management of certificate lifecycle — There should be an easy way to maintain certificates and ensure a smooth rollover to new certificates before the old certificates expire. This is critical to maintain transparency.

2. Maintainence of certificate history — You should have a mechanism to maintain a history of old certificates and keys for any user who is encrypting data. They need to keep old keys that have rolled over to be able to decrypt information that was encrypted with the old keys.

3. Backing up certificates — The enterprise needs to have access to backed up certificates and keys in the event that a user somehow loses or deletes the original. This is the only way to ensure the enterprise will always be able to access the data no matter what the user does.

prestitial ad