A technical, but not too technical, explanation of how Novell (and eventually MSFT and SUNW) promotes a PKI regime:
networkmagazine.com
"OS-ENABLED SECURITY
"A recent, yet very interesting development in the
PKI market is the trend toward integrating PKI
features into server-based operating systems. A
PKI encompasses a number of components within
a network, including servers and directories, so it
makes sense to build the features right into the
OS.
"Novell is leading the way with its Public Key
Infrastructure Services (PKIS) 1.0, which comes
free with NetWare 5. PKIS allows the use of digital
certificates and public key cryptography within an
NDS-based network. And since there are more
than a few companies that rely heavily on NDS to
manage their user information, weaving in PKI
capabilities makes sense for companies that want
to use existing products.
"Certificate management occurs through
NetWare's NWAdmin utility, which provides a
single, central point of administration for public
keys and certificates.
"PKIS supports in-house CAs and lets
companies send internally generated certificates to
a third party such as Verisign or GTE Cybertrust
for an additional signature, but product features
also eliminate the need for a third-party CA.
Companies can use products like Netscape's
Certificate Management System, and integrate its
certificate generation capabilities with NDS.
"Public and private key pairs can be generated
on a NetWare server, which in turn sends the keys
to PKIS. PKIS will then get an associated
certificate either from within, or from an external
CA.
"It also provides certificate and key storage
through NDS, secure management of private keys,
and certificate renewal.
"When a certificate's predetermined expiration
date approaches, PKIS lets administrators check
the certificate's attributes and change any
parameters. PKIS also lets administrators create a
completely new certificate based on a new key.
"Novell has also announced that it is working on
supporting digital signatures, which provide for
nonrepudiation in electronic communications. [Is this us?] The company also plans to support different classes of
certificates, much like Verisign has been doing
from the beginning; this class distinction will
translate to different levels of trust associated with
a particular certificate.
"As you might expect, Novell's chief rival in the
OS market, Microsoft, is also dealing with the
issue of PKI. Microsoft already includes integrated
PKI services through a service pack to Exchange
5.5 that upgrades the key management server
component of the popular messaging software.
This key management server is compatible with
Microsoft's Certificate Server, which is an option to
Windows NT and Microsoft Internet Information
Server 4.0 that issues, renews, and revokes X.509
digital certificates without the need for an external
CA.
"The next logical step is to integrate PKI
capabilities into Windows 2000 (the new name for
Windows NT), which most observers expect by the
end of 1999. Microsoft has announced it will
integrate the Certificate Server with Active
Directory, also due by the end of 1999.
"Not to be left in the dust, Sun Microsystems
has said it will embed support for PKI services in
its Solaris operating system by mid-1999. Sun
plans to let users create public keys and make it
much easier to implement a PKI. Because Solaris
supports LDAP, third-party PKI products can be
integrated. Also, Solaris' PKI services will support
smart cards for authentication.
"Built-in PKI support in some of the most
popular operating systems could give established
PKI vendors a reason to look over their shoulders,
but it can also lead to greater understanding of the
technology and jump-start the entire market."
===============================
In other words, the OS vendors are threatening to take some of the software profits from the PKI vendors by incorporating software centrally into their Internet-level directories. (This is similar, I think, to what could happen to biometric vendors if Microsoft wants to centrally incorporate a biometric algorithm.*) However, this will also promote the creation of a digital certificate/digital signature universe across the Internet. Since IDX wants to be the digital signature provider via fingerscans, not too bad for us.
*Some of these possibilities can make you worry about ultimate software margins.
========================
Brad, while you and the other Commissioners are deciding on an upgrade from the present frothing at the mouth IDX buy, please remember the stock has already doubled over the past five weeks. |
