PKI Group Turns To Teaching Technology


Beyond documents already released this week, The PKI Forum is now
readying a series of tutorials aimed at helping network managers and
other technology buffs comprehend the intricacies of public key
infrastructure (PKI) security.


“People who already have a good technical foundation will be able
to jump into these (upcoming) materials very quickly, to learn more
about PKI,” predicted Lisa Pretty, president of the vendor/end user
industry consortium.


The PKI Forum was founded in 1999 by five vendors — IBM, Microsoft,
RSA Security, Entrust, and Baltimore — who were mainly interested in
PKI interoperability, at the time. Over the years, increasing numbers
of ISVs and end user organizations have joined the group, according to
Pretty. As of July, 2001, 90 companies and other organizations
belonged to the group.


At the CardTech/SecurTech (CTST) conference in New Orleans this week,
the forum set forth new directions that include a stronger thrust
toward user education, greater internationalization, and a big focus
on three industries: government, finance, and health. The group is
also on the lookout for more end user involvement.


“A lot of people today find PKI to be very complicated. We want to
make it so that the average person can understand the ‘nuts and
bolts.’ We’d like to serve as a single source of information, so
that if people have questions, they can come to us. We’ll be trying
to reach both business decision-maker and people who will actually be
working with PKI,” Pretty said. Later on down the line, the group
might start trying to explain PKI to consumers.


Analyst groups such as IDC and Frost & Sullivan have pointed to ease
of use, understanding, and interoperability as major
“inhibitors” to the use of PKI security.


For their part, PKI forum members see government and finance markets
as current drivers toward PKI, and health care as a future
driver. “Government has been the biggest single implementer of
PKI. Finance has also been getting a lot out of PKI, because PKI shows
particular benefits in high volume B2B transactions. Health care will
be forced to implement PKI, to comply with government regulations,”
Pretty maintained.


During a meeting in Amsterdam from June 18 to 20, the forum will
release a white paper on PKI return on investment (ROI), along with
the first “snippet” from a longer technical tract,
“Implementation Guidelines,” according to Pretty. The forum
refers to its documents as “deliverables.”


“The ROI white paper can help network administrators understand why
PKI is being done,” Pretty contended. The first section of the
implementation guidelines, on the other hand, will deal with the
technical ins-and-outs of ID management.


At the CTST show this week, the group put out two other
documents. “PKI Notes: Smart Cards” was done by the forum’s
Technical Working Group. The Business Working Group, on the other
hand, prepared “PKI Basics: A Business Perspective,” a primer on
the role that PKI and other security technologies can play in
mitigating risk.


The PKI Forum hired paid professional staffers to head up the two
working groups earlier this year. Each working group includes reps
from both vendor and end user organizations. The reps serve on the
working groups as volunteers.


“At meetings of the Tech Working Group, representatives from end
user organizations like Johnson & Johnson bring people they work with
along with them. This sometimes includes network managers,” Pretty
said.


Steve Lloyd is paid chair of the Tech Working Group. Lloyd is being
helped by Andrew Nash as vice chair. Patricia Lareau is the forum
staffer in charge of the Business Working Group.


“Last year, with all the changes in the economy, a lot of companies
were acquired or scaled back. Vendors who belong to our group
didn’t have as many resources. So we decided to put some of our
dollars into our technical and business working groups,” according
to Pretty.


Jeff Stapleton, a co-author of “PKI Notes: Smart Cards,”
outlined some of the contents of that new document. “It covers how
PKI interacts with smart cards. We also include an overview of
authentication, since you can never tell about the level of technical
education of the people who’ll be reading the paper,” said
Stapleton, who is a manager if KPMG LLP’s Risk Advisory Services
Practice.


“We talk about tokens, ranging from floppy disks to cryptographic
devices. We also discuss technology trends, including (moves toward)
putting dual chips on a single card, and faster chips, more memory,
and greater bandwidth,” he added.


“It’s really getting feasible to do some major applications that
people have wanted to do. You can store your private key on your smart
card. You can actually do a digital signature. Pricing is coming down,
too” according to Stapleton. In March, Stapleton was named a PKI
Forum Board member for 2002-2003.


In a preface to the smart cards piece, the co-authors write, “For
many years, particularly in the United States, smart cards were
considered a technology solution in search of a business
problem. Recent trends, events and innovation with regard to smart
cards and their use with digital certificates suggest that this is no
longer the case. Smart cards are a ‘something you have’
authentication factor, which can secure and enhance PKI
technology. (At) the same time, PKI technology can enhance the use of
smart cards.”


The new PKI Forum board announced in March was chosen to reflect
“diversity,” according to Pretty. Other members include Mitch
Arnone of smart card maker Schlumberger; Helen Mullenger of Baltimore
Technologies (UK); Patrick Gen Kanaishi of Neucom (Japan); David Brink
of RSA Data Security; Terry Leahy of Wells Fargo; and John Sabo of
Computer Associates.


At a meeting set for November 5 to 7 in Dallas, the forum expects to
issue a companion piece to the just released “PKI Basics: A
Business Perspective.” Also a product of the Technical Working
Group, the future piece will be known as, “PKI Basics: A Technical
Perspective.”


The forum’s upcoming meetings in June and November will include
one-day public educational seminars called, “PKI Today: Issues and
Applications.”


Other PKI documents already available for free download
(http://www.pkiforum.org/resources.html ) include white papers on PKI
interoperability and CA (certificate authority)-CA interoperability,
along with PKI Notes on CA trust; PKI policy; biometrics; and US
healthcare.


»


See All Articles by Columnist
Jacqueline Emigh

Latest Articles

Follow Us On Social Media

Explore More