Simplification is the key to PKI success

In this mean season, it's sad to see our fondest e-business visions become stale jokes. Take public-key infrastructure (PKI) technologies. More specifically, let's take another look at yesteryear's promise of interoperable, multivendor PKIs as a universal trust and security environment for e-business. Sure, we have PKI standards galore, and many innovative PKI products and services. So why has the mass market for PKI-enabled products never taken off?

PKI's shortcomings are no secret to anyone who has tried to make it all work together. Chief among them is its complexity: PKI must be greatly simplified to achieve any degree of universality. In particular, traditional PKI requires too much application preconfiguration at browsers, e-mail clients and other desktop applications.

To its credit, the PKI industry is working to simplify its technical approaches. PKI vendors are developing new architectures that take much of the processing load off the overburdened client and delegate it back to the server-side infrastructure. Chief among these are the XML Key Management Specification (XKMS), and the equally XML-based Security Assertions Markup Language (SAML), a permission management infrastructure (PMI) standard being developed under the auspices of the Organization for the Advancement of Structured Information Standards (OASIS). Industry standards groups are also debating the merits of proposed PMI interoperability specifications such as the XML Access Control Markup Language (XACML).

Unfortunately, these budding, young security standards, in spite of all their promise, may not make e-business trust infrastructures less complex to deploy and manage. If we're not careful, we'll simply be exchanging one complex trust environment (traditional PKI and PMI) for another (XML-enabled PKI and PMI) at the client and server levels.

At the client level, XKMS - the most important of the emerging but still unfinished standards - will let applications delegate the retrieval, parsing and validation of X.509 digital certificates to trusted servers, thereby reducing the PKI-enabled business logic that must be installed on clients. However, XKMS will require retrofitting clients to support new standards such as Simple Object Access Protocol (SOAP) and Web Services Description Language.

Adding to the potential for complexity, XKMS and SAML, if implemented together, will expand the range of trust servers that must interoperate. XKMS defines two principal new infrastructure components, Registration Servers and Assertion Servers, which support all traditional PKI functions but do so through exchange of standardized XML-based messages. Likewise, the SAML framework will enable standards-based authentication and authorization through XML messaging among such new infrastructure components as Authentication, Session and Attribute Authorities.

Ratcheting the complexities up further, the proposed XML standards won't necessarily blow traditional PKI and PMI architectures out of the water. It's very likely that the XKMS and SAML worlds will need to interoperate with legacy PKI and PMI infrastructures through adapters and gateways for such purposes as registering and validating X.509 public-key certificates.

The new XML-based security standards are on the right track. It's a given that XML-based application-to-application messaging and digitally signed trust assertions will be important features of next-generation PKI and PMI environments. But the standards development efforts among XKMS, SAML and other leading initiatives have not been well-coordinated. The industry should, above all else, consolidate development of XML PKI and PMI standards under a single organizational umbrella, rather than continue to triangulate among the Internet Engineering Task Force, World Wide Web Consortium and OASIS. We also need stable, open source reference implementations of these next-generation PKI and PMI standards to jump-start widespread implementation and interoperability.

Most important, we need radical simplicity of PKI and PMI configuration at the client level. This stuff has to be cheap and easy to set up and manage on the desktop, laptop and palmtop. Otherwise, it won't succeed in the mass market. We've seen too many 1990s visions stumble on the doorstep to the new millennium.

Kobielus is an analyst with The Burton Group, an IT advisory service that provides in-depth technology analysis for network planners. He can be reached at The opinions expressed are his own.

Join the newsletter!

Error: Please check your email address.

More about Burton GroupInternet Engineering Task ForceOrganization for the Advancement of Structured Information StandardsWorld Wide Web Consortium

Show Comments