Print
Close Window
From: www.itworld.com
Improving ROI for PKI
June 25, 2001 —
Each of the past few years was supposed to herald the onset of PKI (public key infrastructure), the digital certificate-based technology that allows users to safely exchange data on insecure networks.
But PKI has yet to gain a foothold. The technology's complexity and general lack of interoperability have stunted its growth in many enterprises. Yet the PKI dream refuses to die, and vendors are working to improve their offerings.
All that effort is finally starting to pay off, judging from our experience with a prerelease version of Entrust Technologies Inc.'s Entrust/PKI 6.0, slated for release this summer. The Entrust/PKI 6.0 beta impressed us with improved deployment options and enhanced integration with a wide range of applications, meaning that enterprises should gain a higher return on their PKI investments -- and reap those benefits faster -- if the final version of this product follows suit.
Plays well with others
The interoperability improvements top the list of the product's new features. Entrust/PKI 6.0 supports PKCS (Public Key Cryptography Standards), a set of standard encryption, certificate, and cryptography protocols.
With Version 6.0, you can export PKCS #12 certificates, which allow users to store and transport their private keys and certificates. Those certificates can then be used in non-Entrust-enabled applications. Previous versions required that all applications be Entrust-enabled, but now the chosen applications need be only PKI-aware. And because most new applications are being developed with PKI in mind, integration has become much easier.
Entrust/PKI 6.0 also boasts better integration with Microsoft Corp. platforms. For example, Version 6.0 works smoothly with Active Directory. Administrators can opt to use Active Directory as the certificate repository, so user administration can be centralized with Active Directory management tools. As a result, user administration can be a simpler, less time-consuming chore.
Another key Microsoft integration feature resides on the desktop side, via the Entrust/Entelligence client program. Here, Entrust has integrated with Microsoft's CryptoAPI interface, which is used by all Microsoft products for encryption functionality. Consequently, Entrust keys and certificates are available to the Windows OSes and other CryptoAPI-aware applications such as Outlook, Internet Explorer, and Word.
Moreover, Entrust certificates and keys have their own built-in PKI-aware capabilities. The CryptoAPI synchronization, which is controlled through centralized policy settings, occurs automatically and seamlessly. When a user receives a new certificate or key, the entire process is synchronized and updated without any user intervention.
Privacy and security
The Entrust/Entelligence client also supports application signing, which allows administrators to permit only authorized applications to access Entrust keys and certificates. This feature helps protect against malicious applications that might try to misuse user keys and certificates.
Because Entrust supports Citrix Systems Inc. and Microsoft Terminal Server environments, Version 6.0 can now be ported easily to organizations using thin-client technology to deploy applications.
The installation and configuration process was a snap. Often the most difficult part of establishing a PKI program is creating the policies and procedures surrounding certificate issuance, life cycle, and management. We ran the Entrust/PKI 6.0 beta on Windows 2000 servers using Active Directory as the certificate repository during our tests, and all we had to do was run the provided script and reply to a few prompts.
On the other hand, you must manually enable PKCS #12 export capabilities and CryptoAPI functionality. The export capability is enabled though the Entrust/RA component. Entrust has made this part of the configuration a manual process because not all users need to export. The default certificate template can be changed to allow export by default.
When enabling CryptoAPI functionality, administrators have several settings from which to choose. Normal CryptoAPI export allows the Entrust/Entelligence client to automatically export user keys and certificates upon log-in and key update events. An "Allow Unprotected CryptoAPI Export" option is also available. This allows CryptoAPI private keys to be protected by the Windows log-in, without needing additional private key passwords for each key -- a major improvement from previous versions.
The trend in PKI today is seamless integration: You don't want the user to know they are using a certificate or encryption key. According to our tests of the beta software, Entrust/PKI 6.0 makes great inroads into developing a seamless PKI integration with Microsoft. Even if your enterprise does not use Active Directory, Entrust/PKI 6.0 still provides excellent interoperability and life-cycle management capabilities. It should make an excellent solution for enterprises concerned about data security.
| THE BOTTOM LINE: BETA |
| Entrust/PKI 6.0 beta |
| Business Case: Entrust/PKI 6.0 boasts new integration, interoperability, and deployment features to decrease the costs of rolling out a PKI solution in your office and increase ROI. |
| Technology Case: Thanks to centralized management within Active Directory, user administration of the product is a cinch. Support for PKCS #12 export and CryptoAPI integration guarantee interoperability with most pre-existing enterprise applications. |
| Pros: + Integrates with Microsoft's Active Directory and CryptoAPI + Exports PKCS #12 certificates + Supports application signing + Requires minimal configuration |
| Cons: - None significant |
| Cost: Entrust/Authority (the CA portion) is US$10,000; additional charges of $10 per user |
| Platform(s): Solaris 7 & 8, Windows NT, Windows 2000 |
| Shipping: July 2001 |
| Company: Entrust Technologies; www.entrust.com |
InfoWorld