PKI Group Turns To Teaching Technology

by Jacqueline Emigh

Is PKI too difficult to implement and too complex to grasp? Some analysts say so as the PKI Forum works to increase user education while stressing its applicability to government, business, and health industries.

Beyond documents already released this week, The PKI Forum is now readying a series of tutorials aimed at helping network managers and other technology buffs comprehend the intricacies of public key infrastructure (PKI) security.

"People who already have a good technical foundation will be able to jump into these (upcoming) materials very quickly, to learn more about PKI," predicted Lisa Pretty, president of the vendor/end user industry consortium.

The PKI Forum was founded in 1999 by five vendors -- IBM, Microsoft, RSA Security, Entrust, and Baltimore -- who were mainly interested in PKI interoperability, at the time. Over the years, increasing numbers of ISVs and end user organizations have joined the group, according to Pretty. As of July, 2001, 90 companies and other organizations belonged to the group.

At the CardTech/SecurTech (CTST) conference in New Orleans this week, the forum set forth new directions that include a stronger thrust toward user education, greater internationalization, and a big focus on three industries: government, finance, and health. The group is also on the lookout for more end user involvement.

"A lot of people today find PKI to be very complicated. We want to make it so that the average person can understand the 'nuts and bolts.' We'd like to serve as a single source of information, so that if people have questions, they can come to us. We'll be trying to reach both business decision-maker and people who will actually be working with PKI," Pretty said. Later on down the line, the group might start trying to explain PKI to consumers.

Analyst groups such as IDC and Frost & Sullivan have pointed to ease of use, understanding, and interoperability as major "inhibitors" to the use of PKI security.

For their part, PKI forum members see government and finance markets as current drivers toward PKI, and health care as a future driver. "Government has been the biggest single implementer of PKI. Finance has also been getting a lot out of PKI, because PKI shows particular benefits in high volume B2B transactions. Health care will be forced to implement PKI, to comply with government regulations," Pretty maintained.

During a meeting in Amsterdam from June 18 to 20, the forum will release a white paper on PKI return on investment (ROI), along with the first "snippet" from a longer technical tract, "Implementation Guidelines," according to Pretty. The forum refers to its documents as "deliverables."

"The ROI white paper can help network administrators understand why PKI is being done," Pretty contended. The first section of the implementation guidelines, on the other hand, will deal with the technical ins-and-outs of ID management.

At the CTST show this week, the group put out two other documents. "PKI Notes: Smart Cards" was done by the forum's Technical Working Group. The Business Working Group, on the other hand, prepared "PKI Basics: A Business Perspective," a primer on the role that PKI and other security technologies can play in mitigating risk.

The PKI Forum hired paid professional staffers to head up the two working groups earlier this year. Each working group includes reps from both vendor and end user organizations. The reps serve on the working groups as volunteers.

"At meetings of the Tech Working Group, representatives from end user organizations like Johnson & Johnson bring people they work with along with them. This sometimes includes network managers," Pretty said.

Steve Lloyd is paid chair of the Tech Working Group. Lloyd is being helped by Andrew Nash as vice chair. Patricia Lareau is the forum staffer in charge of the Business Working Group.

"Last year, with all the changes in the economy, a lot of companies were acquired or scaled back. Vendors who belong to our group didn't have as many resources. So we decided to put some of our dollars into our technical and business working groups," according to Pretty.

Jeff Stapleton, a co-author of "PKI Notes: Smart Cards," outlined some of the contents of that new document. "It covers how PKI interacts with smart cards. We also include an overview of authentication, since you can never tell about the level of technical education of the people who'll be reading the paper," said Stapleton, who is a manager if KPMG LLP's Risk Advisory Services Practice.

"We talk about tokens, ranging from floppy disks to cryptographic devices. We also discuss technology trends, including (moves toward) putting dual chips on a single card, and faster chips, more memory, and greater bandwidth," he added.

"It's really getting feasible to do some major applications that people have wanted to do. You can store your private key on your smart card. You can actually do a digital signature. Pricing is coming down, too" according to Stapleton. In March, Stapleton was named a PKI Forum Board member for 2002-2003.

In a preface to the smart cards piece, the co-authors write, "For many years, particularly in the United States, smart cards were considered a technology solution in search of a business problem. Recent trends, events and innovation with regard to smart cards and their use with digital certificates suggest that this is no longer the case. Smart cards are a 'something you have' authentication factor, which can secure and enhance PKI technology. (At) the same time, PKI technology can enhance the use of smart cards."

The new PKI Forum board announced in March was chosen to reflect "diversity," according to Pretty. Other members include Mitch Arnone of smart card maker Schlumberger; Helen Mullenger of Baltimore Technologies (UK); Patrick Gen Kanaishi of Neucom (Japan); David Brink of RSA Data Security; Terry Leahy of Wells Fargo; and John Sabo of Computer Associates.

At a meeting set for November 5 to 7 in Dallas, the forum expects to issue a companion piece to the just released "PKI Basics: A Business Perspective." Also a product of the Technical Working Group, the future piece will be known as, "PKI Basics: A Technical Perspective."

The forum's upcoming meetings in June and November will include one-day public educational seminars called, "PKI Today: Issues and Applications."

Other PKI documents already available for free download (http://www.pkiforum.org/resources.html ) include white papers on PKI interoperability and CA (certificate authority)-CA interoperability, along with PKI Notes on CA trust; PKI policy; biometrics; and US healthcare.

» See All Articles by Columnist Jacqueline Emigh

This article was originally published on Thursday Apr 25th 2002