OS-ENABLED SECURITY
A recent, yet very interesting development in the PKI market is the
trend toward integrating PKI features into server-based operating
systems. A PKI encompasses a number of components within a
network, including servers and directories, so it makes sense to
build the features right into the OS.
Novell is leading the way with its Public Key Infrastructure
Services (PKIS) 1.0, which comes free with NetWare 5. PKIS
allows the use of digital certificates and public key cryptography
within an NDS-based network. And since there are more than a
few companies that rely heavily on NDS to manage their user
information, weaving in PKI capabilities makes sense for
companies that want to use existing products.
Certificate management occurs through NetWare's
NWAdmin utility, which provides a single, central point of
administration for public keys and certificates.
PKIS supports in-house CAs and lets companies send
internally generated certificates to a third party such as Verisign
or GTE Cybertrust for an additional signature, but product
features also eliminate the need for a third-party CA. Companies
can use products like Netscape's Certificate Management
System, and integrate its certificate generation capabilities with
NDS.
Public and private key pairs can be generated on a NetWare
server, which in turn sends the keys to PKIS. PKIS will then get an
associated certificate either from within, or from an external CA.
It also provides certificate and key storage through NDS,
secure management of private keys, and certificate renewal.
When a certificate's predetermined expiration date
approaches, PKIS lets administrators check the certificate's
attributes and change any parameters. PKIS also lets
administrators create a completely new certificate based on a
new key.
Novell has also announced that it is working on supporting
digital signatures, which provide for nonrepudiation in electronic
communications. The company also plans to support different
classes of certificates, much like Verisign has been doing from
the beginning; this class distinction will translate to different levels
of trust associated with a particular certificate.
As you might expect, Novell's chief rival in the OS market,
Microsoft, is also dealing with the issue of PKI. Microsoft already
includes integrated PKI services through a service pack to
Exchange 5.5 that upgrades the key management server
component of the popular messaging software. This key
management server is compatible with Microsoft's Certificate
Server, which is an option to Windows NT and Microsoft Internet
Information Server 4.0 that issues, renews, and revokes X.509
digital certificates without the need for an external CA.
The next logical step is to integrate PKI capabilities into
Windows 2000 (the new name for Windows NT), which most
observers expect by the end of 1999. Microsoft has announced it
will integrate the Certificate Server with Active Directory, also due
by the end of 1999.
Not to be left in the dust, Sun Microsystems has said it will
embed support for PKI services in its Solaris operating system by
mid-1999. Sun plans to let users create public keys and make it
much easier to implement a PKI. Because Solaris supports
LDAP, third-party PKI products can be integrated. Also, Solaris'
PKI services will support smart cards for authentication.
Built-in PKI support in some of the most popular operating
systems could give established PKI vendors a reason to look over
their shoulders, but it can also lead to greater understanding of
the technology and jump-start the entire market.
WHO DO YOU TRUST?
As the need increases for secure applications, and for the ability
to conduct electronic transactions with a high level of trust and
security, companies will realize that a public key infrastructure is
the architecture that will let them do everything from secure single
sign-on within their company to bulletproofing e-mail and Web
services.
Standards immaturity and high implementation costs and
complexity have kept PKIs from rapidly evolving, but vendors'
efforts to simplify the technology and embed it into a variety of
products is an encouraging sign of things to come.
Anita Karvè, associate editor, can be reached at
akarve@mfi.com.
networkmagazine.com |
