Covers a broad range of material related to PKIs, including certification, operational considerations and standardization efforts, as well as deployment issues and considerations. From the Publisher Without doubt, the promise of public-key infrastructure (PKI) technology has attracted a significant amount of attention in the last few years. Hardly a week goes by without some facet of PKI being addressed in a newspaper, trade journal, or conference paper. We hear and read about the promise of authentication and non-repudiation services provided through the use of digital signature techniques and about confidentiality and key management services based on a combination of symmetric and asymmetric cryptography—all facilitated through the realization of a supporting technology referred to as PKI. In fact, many people consider the widespread deployment of PKI technology to be an important enabler of secure global electronic commerce. Although the foundation for PKI was established over two decades ago with the invention of public-key cryptography, PKI technology has been offered as a commercially viable solution only within the last few years. But what started as a handful of technology vendors a few years ago has seen the birth of dozens, perhaps hundreds, of products that offer one form or another of PKI-related service. Further, the commercial demand for PKI-based services remains strong, and available evidence suggests that this will continue for the foreseeable future. Still, as a technology, PKI is fairly new. And to many, PKI technology is shrouded in mystery to some extent. This situation appears to be exacerbated by the proliferation of conflicting documentation, standards, and vendor approaches. Furthermore, there are few comprehensive books devoted to PKI that provide a good introduction to its critical concepts and technology fundamentals. Thus, the authors share a common motivation in writing this book: to provide a vendor-neutral source of information that can be used to establish a baseline for understanding PKI. In this book, we provide answers to many of the fundamental PKI-related questions, including What exactly is a PKI? What constitutes a digital signature? What is a certificate? What is certificate revocation? What is a Certification Authority (CA)? What are the governing standards? What are the issues associated with large-scale PKI deployment within an enterprise? These are just some of the questions we explore in this book. Motivations for PKI It is important to recognize that PKI is not simply a "neat" technology without tangible benefits.When deployed judiciously, PKI offers certain fundamental advantages to an organization, including the potential for substantial cost savings. PKI can be used as the underlying technology to support authentication, integrity, confidentiality, and non-repudiation. This is accomplished through a combination of symmetric and asymmetric cryptographic techniques enabled through the use of a single, easily managed infrastructure rather than multiple security solutions. (See Chapter 2, Public-Key Cryptography; Chapter 3, The Concept of an Infrastructure; Chapter 4, Core PKI Services: Authentication, Integrity, and Confidentiality; and Chapter 5, PKI-Enabled Services.) PKI offers scalable key management in that the overhead associated with the distribution of keying material to communicating parties is reduced significantly when compared with solutions based solely on symmetric cryptography. (See Chapter 2 for a description of symmetric and asymmetric cryptographic techniques.) Ultimately, however, the primary motivations from a business standpoint are not technical but economic: How can PKI give a positive return on investment? To that end, judicious deployment of a single, unifying PKI technology can help, among other things Reduce administrative overhead (when compared with the deployment of multiple point solutions) Reduce the number of passwords required by end users (and, consequently, the administrative and help desk costs associated with managing them) Reduce paperwork and improve workflow efficiencies through more automated (and more secure) business processes Optimize work-force productivity (by ensuring that users spend less time contending with the security infrastructure and more time on the job at hand) Reduce requirements for end-user training related to the use of the security services (because there is one security solution rather than many) Not only does PKI technology have the potential to realize cost savings, but in some cases it also might even be a source of revenue for an organization (through support for new services that might otherwise not be offered). Benefits and related business considerations associated with PKI technology are discussed further in Part III, Deployment Considerations.

With the recent Electronic Signatures in Global and National Commerce Act, public key cryptography, digital signatures, and digital certificates are finally emerging as a ubiquitous part of the Information Technology landscape. Although these technologies have been around for over twenty years, this legislative move will surely boost e-commerce activity. Secure electronic business transactions, such as contracts, legal documents, insurance, and bank loans are now legally recognized. In order to adjust to the realities of the marketplace, other services may be needed, such as a non-repudiation service, digital notary, or digital time-stamping service. The collection of these components, known as Public Key Infrastructure (PKI), is paving the way for secure communications within organizations and on the public Internet.