Kapil Raina

PKI Security Solutionsfor the Enterprise:

Solving HIPAA, E-Paper Act, and Other Compliance Issues

31529X FM.qxd 3/20/03 11:21 AM Page iii

C1.jpg

31529X FM.qxd 3/20/03 11:21 AM Page ii

PKI Security Solutions for the Enterprise:

Solving HIPAA, E-Paper Act, and Other Compliance Issues

31529X FM.qxd 3/20/03 11:21 AM Page i

31529X FM.qxd 3/20/03 11:21 AM Page ii

Kapil Raina

PKI Security Solutionsfor the Enterprise:

Solving HIPAA, E-Paper Act, and Other Compliance Issues

31529X FM.qxd 3/20/03 11:21 AM Page iii

Publisher: Robert IpsenExecutive Editor: Carol LongAssistant Developmental Editor: Adaobi Obi TultonEditorial Manager: Kathryn MalmManaging Editor: Angela SmithText Design & Composition: Wiley Composition Services

This book is printed on acid-free paper. ∞

Copyright © 2003 by Kapil Raina. All rights reserved.

Published by Wiley Publishing, Inc., Indianapolis, IndianaPublished simultaneously in Canada

No part of this publication may be reproduced, stored in a retrieval system, or transmittedin any form or by any means, electronic, mechanical, photocopying, recording, scanning, orotherwise, except as permitted under Section 107 or 108 of the 1976 United States CopyrightAct, without either the prior written permission of the Publisher, or authorization throughpayment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rose-wood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8700. Requests to the Pub-lisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc.,10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4447, E-mail:permcoordinator@wiley.com.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used theirbest efforts in preparing this book, they make no representations or warranties with respectto the accuracy or completeness of the contents of this book and specifically disclaim anyimplied warranties of merchantability or fitness for a particular purpose. No warranty maybe created or extended by sales representatives or written sales materials. The advice andstrategies contained herein may not be suitable for your situation. You should consult witha professional where appropriate. Neither the publisher nor author shall be liable for anyloss of profit or any other commercial damages, including but not limited to special, inci-dental, consequential, or other damages.

For general information on our other products and services please contact our CustomerCare Department within the United States at (800) 762-2974, outside the United States at(317) 572-3993 or fax (317) 572-4002.

Trademarks: Wiley, the Wiley Publishing logo and related trade dress are trademarks orregistered trademarks of Wiley Publishing, Inc., in the United States and other countries,and may not be used without written permission. All other trademarks are the property oftheir respective owners. Wiley Publishing, Inc., is not associated with any product or ven-dor mentioned in this book.

Wiley also publishes its books in a variety of electronic formats. Some content that appearsin print may not be available in electronic books.

Library of Congress Cataloging-in-Publication Data:

ISBN: 0-471-31529-X

Printed in the United States of America

10 9 8 7 6 5 4 3 2 1

31529X FM.qxd 3/20/03 11:21 AM Page iv

To Amrita, For all of her love and understanding

in helping me reach my dreams.

31529X FM.qxd 3/20/03 11:21 AM Page v

31529X FM.qxd 3/20/03 11:21 AM Page vi

Acknowledgments xv

Introduction xvii

Part One Trust Basics: Ins and Outs of PKI 1

Chapter 1 What Is Trust? 3Trust in the Digital World 3

Defining Trust 4Implementing Trust 5

Trust Policies 6Privacy 6Proper Use of Information 6Recourse in the Event of Breach of Trust 7Continuity of Trust 8User Consent 8

Trust Infrastructure 8Physical Layer 9System Layer 10Application Layer 11

Trust Affiliations 12Legal Issues with Trust in the Electronic World 14

Binding Trust with the Law 14P3P 15

Digital Trust Solutions 16Summary: The Need for Solutions 17

Chapter 2 Complexities of PKI 19PKI: A Basis for Digital Trust 19Why Is PKI So Complicated? 20

Contents

vii

31529X FM.qxd 3/20/03 11:21 AM Page vii

Security Issues 21Privacy 22Authentication 23Integrity 24Authorization 25Nonrepudiation 26Applications of PKI 27

XKMS 29PKI Functions 29

Certificate Authority 30Cross-Certification 32

Registration Authority 33End-entity 35Types of Certificates 35

Implementation Issues 37Setup 37

Back-end Setup 38User Setup and Registration 38Certificate Policy and Certificate Practice Statement (CPS) 39

Administration 39Renewal 40Search 40

Exception Handling 41Revocation 41Escrow 42

Audience 43Time Allotted for Rollout 43Expertise Available 44Funds Available 44

Integration Issues 44Integration with Applications 45Integration with Tthird-Party Data 45Integration with Stronger Authentication Options 46Integration with Legacy Systems 46Integration with Single Interface 47

Cost 47Summary: Best Practices to Reduce Complexity 49

Chapter 3 Best Practices of PKI 51Insource versus Outsource Factors 51

Public and Private Hierarchies 52Control and Flexibility 54Cost and Deployment Time 54

Vendor and Technology Selection 55Determining the Selection Criteria 55

Financial Strength 56Scalability 56

viii Contents

31529X FM.qxd 3/20/03 11:21 AM Page viii

Security 57Operations 57Support 58Consulting Strength 59

Vendor Vetting: How to Ask the Right Questions 60Executive Summary 60Introduction 60Scope of the Project 61Project Organization and Management 62Security Architecture 62Security Policy 62Standards and Security Design Guidelines 63Operational Guidelines 64Audit 64Security Awareness and Training 65Consultant Profiles 65Project References 66

Design 66Elements of a PKI Infrastructure 66

CA Hardware and Software Architecture 66User Setup/Registration Definitions 67Legal Policy Development 67RA Agreement 69RA-End-Entity Agreement 69Subscriber-End-Entity Agreement 69

Best Practices for PKI Selection 70Personnel 70Secure Infrastructure 70Legal Aspects 71Deployment Time Frame 71Costs 72

Implementation 72Project Management 73Resources Needed 73Timelines 74

Summary: Choosing the Right Partner 80

Chapter 4 Selling PKI 81ROI on PKI, ASAP 81

Reactive versus Proactive Selling Models 82Success Criteria 83

Implementation ROI 84Creating ROI Models 85Cost Savings per Transaction 86Reduced Processing Time per Transaction 88New Services 90Reduced Exposure Model 92Regulation Compliance Model 93

Contents ix

31529X FM.qxd 3/20/03 11:21 AM Page ix

Nonfinancial Benefits 94FUD 94

Industry Peer Comparison 94Vulnerability Assessment 95Internal Surveys 96

Convenience 97Case Study: Anatomy of a PKI Sale 98

The Prospect 98The Pitch 98The Closing 98The Payment 98The Delivery 99

Summary: It’s All about the ROI 99

Part Two Solutions for Trust 101

Chapter 5 Healthcare Solutions 103HIPAA 103PKI as a Solution to HIPAA 109

Biometrics and HIPAA 111Biometrics Overview 111

Hospitals, Doctors, and Managed Care 116Unique Security Requirements 116

Doctors’ Requirements 116Hospital Characteristics 118Managed Care 118

Cost and Other Factors 119Who Pays? 120

Summary: The Healthcare Prognosis 123

Chapter 6 Financial Solutions 125Financial Sector 125

Consumer 125Commercial 126

Legal Drivers 127The Gramm-Leach-Bliley Act 127

Privacy 128Security 129Assessment of Risk 130Control of Risk 130Supervision of Service Provider Arrangements 131Revisions of Guidelines 131Reporting to the Board 131Secure Wireless Communications under GLBA 132

Fair Credit Reporting Act 132Electronic Fund Transfer 133

OnLine Mortgage and Loan Applications 134Identrus 138

What Is Identrus? 138Need for Identrus 138

x Contents

31529X FM.qxd 3/20/03 11:21 AM Page x

Architecture 139Applications 142Future of Identrus 142

Identrus Alternatives 142Global Trust Authority 143ABAecom 144

EMV Solutions 144EU Directives 146

Directive 1999/93/EC 147Directive 2000/31/EC 148Safe Harbor Agreement 148What Do All These Standards Mean for Me? 150

Summary: Money Talks 151

Chapter 7 Government Solutions 153Types of Government Solutions 153

National Identity Projects 154Technology Challenges 155The Trust Factor 156Citizen Identification Device 157Terminal Readers 158

Government Regulations 158E-government projects 158

U.S. Government Initiatives 159Common Access Card 160ACES 163

Legal Drivers 166Paperwork Reduction Act (E-Paper Act) 166Privacy Act 166Federal Agency Protection of Privacy Act 167Government Paperwork Elimination Act 167Electronic Signatures in Global and

National Commerce (E-Sign) Act 169Federal Bridge Certification Authority 170

Meaning of Assurance 171International Efforts 173

Australia 173United Kingdom 175India 176

Summary: Citizen Certificate 178

Chapter 8 Communications Solutions 179Secure Messaging 179

Methods of Secure Communications 180Encryption Point–to Point 180Encryption with Insecure Pickup 182Encryption with Secure Pickup 183

Instant Messaging 184Peer to Peer 185

Contents xi

31529X FM.qxd 3/20/03 11:21 AM Page xi

Guaranteed Delivery 186Secure Drop-off and Pickup Model 187Private Internet Network 187

Content Management 188Policy Methods 189Secured Delivery 191Encapsulation 191Secure Space 192

Time Stamping 192SSL: The Old Standby 194

Challenges with SSL 194Deployment Strategies 196

Dedicated SSL 196Shared SSL 197Server Appliance Model 197

Alternative Approach: OpenSSL 198Code Signing 198Summary: Speaking Digitally 200

Chapter 9 Other Solutions 201Virtual Private Networks 201

What Is a VPN? 201Why Do We Need Them? 202

Pros of VPNs 203Cons of VPNs 203

How Do They Work? 203Internet Key Exchange 205Alternatives to IPSec VPNs? 207

Smart Cards 209Novell Architecture 210

Token FOB 211Kerberos 212Tool Kits 214

Microsoft 214Xetex 214Broadband 214

DOCSIS 216PacketCable 220CableHome 221OpenCable 222Euro-DOCSIS 223

PKI on a Chip 224Integrated Security Chip 224User Verification Manager 224PKI Standards Support 225Administrator Utility 225File and Folder Protection 225

(VPN) Authentication 226

xii Contents

31529X FM.qxd 3/20/03 11:21 AM Page xii

Intel’s Solution 226Other Applications 227

X-Bulk 227Printers 228

Summary: PKI Is Far and Wide 229

Part Three Trust Solutions Guide 231

Chapter 10 Overview of Trust Solutions 233Consultant’s Corner 233

Challenges 234It’s the Law! 234Staying Current 235

Guide to Commercial Solutions by Category 235VPN Solutions 235

Checkpoint 237Nokia 237Netscreen 237SonicWall 237

Biometric Solutions 238Device Vendors 238Middleware Vendors 239

Form-Signing Solutions 239Stand-Alone Form Signing 240Hybrid 241Core Technology 242

Secure Messaging 243Solutions with End-User Clients 244Solutions without End-User Clients 244Miscellaneous Solutions 245

Secure Wireless Solutions 246Certicom 247Openwave 247Diversinet 247

Single Sign-On Solutions 247Integrated Solutions 249Hybrid Solutions 250

Content Management Solutions 251Probix 252Alchemedia 252

Web Servers 253Software Web Servers 254Hardware (Appliance) Web Servers 255

Smart Cards 256Gemplus 257Schlumberger 257

Data Storage Protection 257Brocade 257Veritas 258

Contents xiii

31529X FM.qxd 3/20/03 11:21 AM Page xiii

Web Portals 259Plumtree 259Hummingbird 259

B2B 259Cyclone Commerce 260webMethods 260

SET 260IBM 260VeriFone 261

Summary: The Answer Is ... Solutions! 261

Chapter 11 The Future of PKI 263The Future of Mobile Security in PKI 264

Mobile VPNs 265Lessening the Pain 266

Trends in Integration 266Solution Building 267

Consolidation of the Security Market 267Survey of the Security Market 268

Encryption 268Authentication 269Authorization 271Administration 271Firewalls and VPNs 272Operational Integrity 273

Only the Strong Will Survive 274One-Stop Shopping 274

PKI Is Only Part of the Solution 276Need for Good Security Policies 277Strong Audit Capability 278Good Physical Security 278

Summary: The Growth of PKI 279

Appendix 281

Index 289

xiv Contents

31529X FM.qxd 3/20/03 11:21 AM Page xiv

As with any complex work such as this book, quite a number of people havehelped contribute to the knowledge and wisdom found in this book. I havelisted those who have directly contributed to this work through their guidanceor direct contribution to some of the material. I can never thank all of thesepeople enough, as their respective expertise truly helped make this book arealistic, real-world project.

Adaobi Obi Tulton, Assistant Developmental Editor, for her untiring effortsto help develop and produce this book. I want to thank her for goingabove and beyond to help keep this project on time and with a highdegree of quality and content. Her expertise has greatly enhanced thequality of this book.

Bikram Bakshi, Director, Business Development, Bionetrix, Inc. Thanks toBikram for his contribution to the Chapter 5 case study about biometricsand PKI and personal support for this project. His extraordinary efforthas added an invaluable element to the book.

Carol Long, Executive Acquisitions Editor, Wiley Technology Publishing,for her guidance in content, scope, flexibility, and vision on this project.

David Ramon, CEO, USA.net, for his ongoing support for this and some ofmy other security book projects.

Doug Jones, Executive Chief Architect, YAS Broadband Venture, for hiscontribution and guidance to the DOCSIS and broadband material inChapter 9.

Geoff Kahler, VP Marketing, Identrus, LLC for his guidance in the financialsolutions including Identrus for Chapter 6.

Acknowledgments

xv

31529X FM.qxd 3/20/03 11:21 AM Page xv

Greg Worch, formerly with Identrus, LLC, for his guidance in developingmaterial and case studies for Chapter 6.

Gregory Alan Bolcer, CTO, Endeavors Technology, Inc, for his and thewhole Endeavors team’s help in developing material in Chapter 8 forthe IM case study.

Jennifer Angle, Director Product Marketing, USA.net, for her and theUSA.net team’s guidance in some of the secure email solutions coverage.

Julian Waits, VP of Sales and Business Development, Bionetrix, Inc. Julian’s contribution and guidance on biometrics and PKI is very muchappreciated.

Karla Friede, who in addition to working as a Marketing Consultant forFlatrock, has a depth of industry experience including VP of Marketingfor Geotrust, The Ascent Group, and Mentor Graphics. Thanks for herefforts in her contribution to the material for Chapter 9’s case study,“Case Study: Flatrock Levels the IPSec VPN Space.”

Kim Novak, Technical Project Manager, VeriSign, Inc., for her help andguidance in developing the resources needed for the DOCSIS-relateddiscussions in Chapter 9.

Louisa Hebden and Sharon McMaw, Royal Bank of Scotland, for theirassistance and guidance in developing material for Chapter 6.

Minna Tao, for her guidance in development and coverage of financial topics related to PKI for Chapter 6.

Nancy Davoust, Executive Security consultant, YAS Broadband Venture,for her contribution and guidance to the DOCSIS and broadband mate-rial in Chapter 9.

Rick Triola, Chairman & CEO, ezEscrow, Inc. Thanks to Rick and his teamfor contributions to the Chapter 6 case study for electronic signatures formortgages.

Roger Wood, Senior Product Manager, Flatrock, Inc. Roger has seventeenyears of networking experience including more than nine years withCisco Systems. His contribution and guidance on the material for Chap-ter 9’s case study, “Case Study: Flatrock Levels the IPSec VPN Space,”has been invaluable.

Rouzbeh Yassini, Founder and CEO, YAS broadband Venture, for his contri-bution and guidance to the DOCSIS and broadband material in Chapter 9.

Sarah Granger, Technical Editor for this book. An enormous thanks to Sarahfor working with crazy deadlines and intensely complex material. Herinput has been instrumental in producing a work that is clear and com-prehensive. Her past experience in technical writing has been invaluablein developing a high-quality book in such a short time frame.

xvi Acknowledgments

31529X FM.qxd 3/20/03 11:21 AM Page xvi

Increasingly as the world relies on electronic commerce, the need for securitybecomes critical. The Internet provides an excellent vehicle for increasingtransaction efficiencies and extending the scope of communication and busi-ness. Perhaps the most critical element of security is the ability to provide trustand confidence to transactions over the Internet.

Some may argue that we already have tools for affording trust to Internettransactions and communications. The Internet, though, can still be viewedonly as an ancient settlement that has point solutions for affording security forits residents. For example, solutions like anti-virus software or firewalls do nothelp in establishing the identity of the parties during transactions. Nor cansuch solutions guarantee an understanding of the level of trust when dealingwith a merchant or another individual.

So how can we provide trust and confidence to the Internet? To accommo-date the scale of transactions across the Internet, some of the few technologiesthat can accomplish this include Public Key Infrastructure (PKI). For many,PKI induces fear of complex and long deployments. Perhaps this may havebeen the case several years ago when PKI was not considered essential norwere pre-integrated PKI applications ready for use.

Today, PKI has been viewed as critical not only to the commercial sector butalso to the government sector. As a result, many aspects required for success-ful PKI, such as insurance and legal aspects, have been greatly improved. Forexample, most countries within the last few years have passed laws that makedigital signatures legally equivalent to physically drafted signatures. In addi-tion, many countries also have regulatory elements to the Certificate Authori-ties (CAs) to ensure the quality of their operations and in some cases theirviability to support national projects based on PKI.

Introduction

xvii

31529X FM.qxd 3/20/03 11:21 AM Page xvii

Have PKI deployments become easier? Yes, to a large degree. Part of the offset of the complexity of PKI has been in the increased education of IT pro-fessionals, improved skill sets, and simplification by PKI vendors in thedeployment complexity.

Overview of the Book and Technology

When the idea for this book came to me, I was interested in focusing primarilyon showing how PKI is being used in various segments of business and gov-ernment. During this research I was very surprised by how extensive the useof PKI is and how much it has penetrated all aspects of ecommerce. Even moresurprising was the number of governments around the world that now havedigital signature laws and regulatory requirements for CAs and other organi-zations related to PKI.

This book covers the essential basics of PKI. My intent, though, was not tocover the theoretical aspects, but rather show specific examples and providemodels for PKI development and deployment. There are already many finebooks on PKI design and architecture. In many ways, both technologists andbusiness people can use this book as it provides an understanding of how thetechnology can be used and how it can be financially justified.

Wherever possible, each section of the book includes a case study or a refer-ence to an actual implementation of that aspect of the PKI technology. Thisrealism highlights how PKI is already being used and can serve as a model formaking decisions about if and how to use PKI to provide trust and confidenceon the Internet.

How This Book Is Organized

The book is divided into three main parts:

Part One: Trust Basics: Ins and Outs of PKI. In this section, informationis given to provide a base knowledge of PKI. The concepts of PKI andhow the technology works are discussed. Furthermore, basic conceptson how to understand PKI from a business aspect are also discussed.Because the business justification of PKI is as important as the technologyitself, both aspects are discussed in the same section. Although this sec-tion gives a very brief glimpse of the technology, it does provide a suffi-cient, independent basis for understanding later elements of the book.

Part Two: Solutions for Trust. With the understanding of the basics ofPKI, this section describes how PKI is implemented and used in varioussegments. The breakdown by vertical applications was designed to show

xviii Introduction

31529X FM.qxd 3/20/03 11:21 AM Page xviii

how PKI varies from segment to segment. In addition, this structureallows for discussion of specific industry consortia and standards bodiesthat guide PKI development to address specific, unique needs of thatvertical. Some of the most popular vertical applications were chosen.Nonetheless, there are many more not discussed in this book that maybe found through the additional resources referenced in the Appendix.

Part Three: Trust Solutions Guide. This section aims to provide concretevendor and solution examples. Think of this section as a high-leveloverview of specific companies and products that can help achieve theaims discussed in Part II, “Solutions for Trust.” The aim here is to pro-vide a starting point so that you can choose the right combination ofvendors and products for your PKI deployment. For those of youalready using PKI, this section can show the other areas in which PKIcan be leveraged, either through existing products you may alreadyhave or new products that can enhance your existing PKI infrastructure.

Although the book has been structured for an audience with very littleknowledge of PKI and related topics, for readers who already have an advancedunderstanding of the technology, Parts Two and Three, “Solutions for Trust” andthe “Trust Solutions Guide,” will serve as an excellent reference. In fact, thebook has been designed to be used as a reference tool as much as a tutorial. Thebook does contain information that is of a time-sensitive nature, and thus theAppendix becomes useful in helping you keep up to date on events in this areaof security.

Note that although some applications are covered in a particular vertical,that does not mean that it is the only vertical that has utility for that securityapplication. The intent has been to emphasize some of the more popular usesof a particular application within the most commonly used vertical.

Chapter 1: What Is Trust?This chapter explains the fundamental requirement for leveraging the Internetfor ecommerce and trust. It explains how trust can be defined, how it is cur-rently managed, and some key elements required to ensure a lasting trust rela-tionship between two parties.

Chapter 2: Complexities of PKIWith the goal of achieving trust, as established in Chapter 1, this chapterfocuses on the most efficient solution for establishing this trust, PKI. The chap-ter reviews the basic concepts and introduces tips and techniques to guide insuccessful implementation. This chapter is important for beginners to the tech-nology and was designed to be an introductory text to this security technology.

Introduction xix

31529X FM.qxd 3/20/03 11:21 AM Page xix

Chapter 3: Best Practices of PKIIn order to avoid the pitfalls of implementing PKI, this chapter reviews bestpractices in designing and implementing PKI solutions. Design, implementa-tion, vendor selection, and choosing insource or outsource models are all dis-cussed. Although it is very difficult to capture the breadth of knowledge in thisarea in a single chapter, the text takes an overview approach that highlights themain points to consider in PKI deployment.

Chapter 4: Selling PKIRealizing that designing and implementing PKI is only part of the security bat-tle, learning how to justify PKI to customers, partners, and internal decisionmakers is critical for a successful security deployment of PKI. This chapterprovides tools, including quantitative metrics, to help rationalize and guidedecision-making processes in how and when PKI provides cost-efficient solu-tions for security problems.

Chapter 5: Healthcare SolutionsFocused on the healthcare vertical, this chapter covers those topics directly rel-evant to the healthcare industry. Laws and unique attributes to this vertical arediscussed, and those key drivers for the technology are covered in detail. Manyexamples are given to show the reader actual implementations in healthcare forPKI. Consortiums and standard bodies are highlighted to indicate the progressand important developments that PKI brings to the healthcare community.

Chapter 6: Financial SolutionsSecurity is never more important than when dealing with money. The financialvertical has specific legal and business drivers, which make PKI ideal as asecurity solution for that space. Examples, in the form of case studies and side-bars, are given to provide reference models for readers’ own implementationsand development projects. Although only a few specific legal aspects are cov-ered, all of the material can be used as a basis for developing models for otherPKIs, including models for financial organizations in all parts of the world.

Chapter 7: Government SolutionsGovernment deployment of PKI solutions truly shows the scalability of PKItechnology, given the large numbers of users involved in such deployments.

xx Introduction

31529X FM.qxd 3/20/03 11:21 AM Page xx

This chapter shows examples of legal drivers and applications that govern-ments around the world are using to deploy PKI. One of the most importantaspects of this chapter is the emphasis on how governments treat PKI as anational infrastructure and provide regulatory guidance to ensure the qualityand sustainability of CAs.

Chapter 8: Communications SolutionsIt has been long said that one of the killer applications for the Internet has beencommunications applications such as email. As a result of the impact of com-munications on our daily personal and professional lives, this chapter coverssecurity communications strategies. The chapter covers the range of applica-tions from email to instant messaging. A key emphasis is to describe a varietyof methods, spanning the user experience from very secure solutions to easy-to-use, mobile solutions.

Chapter 9: Other SolutionsOf course, it is impossible to cover all the applications that use PKI to createtrust and confidence in electronic transactions. An attempt is made, though, tocapture solutions here not discussed thus far. Much of this chapter focuses ondevice certificate applications. Device certificates are digital credentials thatidentify a device (rather than a person). Device certificates are quickly becom-ing the most popular and prevalent use of digital certificates.

Chapter 10: Overview of Trust SolutionsOne of the challenges with discussing models and applications of a technologyis that information alone does not help in choosing and understanding specificproducts and companies in the market. This chapter is dedicated to helpingusers relate specific products on the market to the various categories discussedthroughout this book. Although this material will change as products andcompanies change, this serves as a good base to learn about actual productexamples.

Chapter 11: The Future of PKIThis chapter addresses future trends and emerging technologies in the PKIspace. It is important to keep aware of trends in this space to plan appropri-ately and take advantage of changes. As the security market consolidates,companies should see big benefits in consolidated functionality.

Introduction xxi

31529X FM.qxd 3/20/03 11:21 AM Page xxi

AppendixThe appendix presents a variety of resources and guides to additional infor-mation. Security is a never-ending game of improving the level of confidence ofpeople and machines in conducting safe, secure transactions. The appendix alsohas more international material, to ensure that the reader is aware, regardless ofwhere he or she may be in the world, that PKI is directly relevant globally.

Who Should Read This Book

The audience for this book can be quite varied, ranging from novices in PKItechnology to security experts looking to gain specific knowledge. In general,the first part of the book has been designed to give an overview of the PKItechnology along with the challenges and advantages the technology offers.The next part of the book would be common for any reader as it highlights cur-rent, realistic examples of how PKI has been used. This will serve as an idealmodel for all readers. The final part of the book is meant as a reference guideto help readers understand specific companies and products.

Business Decision MakersOne interesting aspect of this book is that, while it does focus heavily on thetechnology, a fair amount of effort has been made to ensure that the businessaspects of this technology have been discussed. All too many times, technolo-gists create wonderful solutions, only to be left unable to justify their expenseto the decision makers. Specific chapters, such as Chapters 3, 4, and 10, includeelements that highlight resource and time discussions to help guide decisionmakers in making appropriate resource allocations for successful securitydeployment. As a decision maker, you are looking for the risk-to-reward ratioas well as business justification strategies. For this purpose Chapter 4 has beendesigned specifically for you.

Project Managers/ConsultantsChapters 2 and 3 are most relevant to project managers as specific examples ofproject timelines are discussed. Techniques and tips (as well as challenges) forsuccessful deployment are discussed. One key aspect that all project managersneed to understand is how to parallelize PKI task deployments.

xxii Introduction

31529X FM.qxd 3/20/03 11:21 AM Page xxii

Absolute BeginnersIf you are new to PKI and related security technologies, then you must readthe book from cover to cover. The book progresses in its depth of the topicscovered, leading to the final chapter, which discusses future trends of the tech-nology. It is recommended, if more detail on theoretical design and architectureof PKI-related technologies is required, that other books on PKI be explored.The Appendix will also prove useful as pointers to other resources that canexplain various topic areas.

Tools You Will Need

No specific software is associated with this book.As a side note, it is importantto understand that many of the products and technologies mentioned in thisbook are usually available in some type of trial or test modes. It is recom-mended that the reader evaluate any software related to PKI technology insome type of pilot program. The advantages of PKI security solutions can faroutweigh the effort of deployment; however, it is important to proceed withcare in deploying enterprise-wide applications of any type.

You can refer to my website, www.securitypundit.com for further resourcesand guides beyond what this book covers.

Summary

This book was designed to impart tools and techniques for leveraging PKI as amethod to create trust and confidence in electronic transactions and commu-nications. Although this book is only a starting point, that it focuses on solu-tions and real-life applications should be a good base for understanding in thisarea. Try not to think of PKI as having to “arrive” as a mainstream applicationbut rather as an application that is already in widespread use across manycountries and vertical applications. The “Year of PKI” has already come andgone. We are now in the “Decade of PKI.”

Introduction xxiii

31529X FM.qxd 3/20/03 11:21 AM Page xxiii

31529X FM.qxd 3/20/03 11:21 AM Page xxiv

PA R T

One

Trust Basics: Ins andOuts of PKI

31529X PP01.qxd 3/20/03 11:22 AM Page 1

31529X PP01.qxd 3/20/03 11:22 AM Page 2

3

The hot new buzzword for the twenty-first century is trust. We are asked totrust that Web site purchases are safe, we are asked to trust that the car dealeris making us a good deal, and we are even asked to trust in our local politi-cians! This move into trust instead of security has been positive for the com-puter security field. We cannot avoid security issues, but we can create anumbrella solution that may include risk mitigation in addition to security tech-niques, also known as “trust.” Trust consists of more than just secure computersystems. After all, the security of a computer system extends far beyond just awell-protected operating system. We have to consider the reliability of insideemployees, physical security, and so on in a more holistic view.

Trust in the Digital World

Trust must be applied in the context of the business or use of the trust applica-tion. For example, in financial applications, the consequences from loss of useof systems are extremely high. As a result, the level of trust between two transacting parties must be much higher than that of, for example, consumerapplications, where an individual loss is relatively small. As we will see in therest of this book, the application of trust varies from industry to industry.Therefore, we provide, in these initial chapters, a generic platform and set ofguidelines. Each industry, and to some degree each specific company, must

What Is Trust?

C H A P T E R

1

31529X Ch01.qxd 3/20/03 10:52 AM Page 3

examine this platform and customize and apply it accordingly. We can safelymake some assumptions, though, that will be used as a basis for comparinglevels of trust among peer merchants or companies.

Defining TrustTrust consists of three key elements:

Predictability. The ability to consistently produce an expected (positive)result will allow the consumer of these services to waive the need to con-stantly keep a high state of vigilance. The more predictable the security,service, and quality of an online merchant, the easier it will be for a con-sumer to purchase those services.

Assets. Generally we are not concerned with trust unless there are signif-icant assets (whether physical or logical) that risk being damaged or lost.The greater the value, the more trust becomes a requirement. Web siteslike eBay, an online auction site, use partners for escrow services forhigher-value trades (usually over U.S. $500) as a method of increasingtrust in transactions between two unknown parties.

Uncertainty. Trust is required when there is an amount of uncertainty inthe ability to verify an operation or result. Generally, if all information isknown about the parties and the transaction, then the need for trust isgreatly reduced. Most transactions, however, occur with a level of uncer-tainty, including unknown history with buyer or seller, unknown qualityof service or goods, and so on.

To better understand the concepts of trust, let’s take the example of a mer-chant Web site. A merchant must accomplish two main business goals: newsales (selling to new customers) and renewal sales (selling to repeat cus-tomers). New sales without renewals create very high costs of customer acqui-sitions. One way to increase renewals is to create a higher level ofpredictability of service and security through the initial transaction experi-ence. Predictability can be achieved by using common security protectionmethods, such as setting up the systems to produce the comforting “lock”symbol (which indicates a secure connection via the Secure Sockets Layer(SSL) protocol in the browser. In addition, a certification logo or privacy state-ment can provide information that a trusted third party has also objectivelyreviewed this site.

In our example of the merchant site, the merchant’s assets can be measured intwo ways: hard assets (the goods or services that are being sold) and goodwill(the branding and positioning of the merchant and/or the goods being sold). For most companies, the goods and the branding (that is, the reputation) areequally important. Losing goods to fraud results in a direct material loss. Tar-nished branding or reputation can result in a decrease of future sales (for exam-ple, Andersen Consulting after its involvement with the Enron scandal in 2002).

4 Chapter 1

31529X Ch01.qxd 3/20/03 10:52 AM Page 4