VeriSign OnSite Solves PKI Setup Dilemma
December 9, 1998
PC Week via NewsEdge Corporation : Organizations that recognize a need for data encryption and user authentication but don't have the time or the money to build a complete PKI should consider an outsourcing option such as VeriSign Inc.'s OnSite 4.0. In PC Week Labs' tests of the service, it provided a 24-by-7, highly secure, low-cost certificate issuance system for e-mail and Web browser users.
Version 4.0 has several enhancements, including Web server plug-ins for checking certificate revocation lists, IP Security certificate support, automated renewal support, and expanded auditing and administration.
The biggest new feature in OnSite 4.0--which will be available later this month- -is the OnSite Key Manager for key recovery. This optional service, which starts at $10,000 plus an annual service fee, lets a company escrow its employees' private keys in case an employee's hard drive crashes or the employee leaves for another job. The keys remain under local control, although VeriSign must be contacted to enable access to them.
OnSite enables automatic authentication and encryption for users' Secure Multipurpose Internet Mail Extension-capable e-mail clients and SSL (Secure Sockets Layer)-capable Web browsers (including SSL Version 3). It also supports IPSec clients and routers for encrypting network transmissions as a virtual private network. OnSite's certificates are also X.509-compatible for support of electronic commerce applications.
However, because OnSite supplies no client-side applications of its own, it requires companies to obtain third-party applications for desktop encryption that can interface with the OnSite PKI (public-key infrastructure). For example, products such as JetForms Inc.'s FormFlow 99 provide online signing of forms such as expense reports, and AT&T Corp.'s SecretAgent Software secures multiple types of communications, applications and files. Another option is for a company to develop its own applications and interface them using VeriSign's new Application Integration Toolkit.
GTE Internetworking's CyberTrust CA Hosting Service is one prominent outsourcing rival. That product has an advantage over VeriSign OnSite--customers have a direct migration path from the outsourced service to GTE's PKI product for total in-house management by replicating the directories and databases. The outsourced service starts at $24,000 per year for 5,000 certificates, plus setup fees.
Customers who need top-to-bottom support also can set up a PKI with a product such as Entrust Technologies Inc.'s Entrust/PKI and Desktop Enterprise Suite (see PC Week, Sept. 28, Page 91). Entrust/PKI provides a complete PKI package, securing many levels of communication, but it requires proprietary clients and high-availability hardware/facilities, and it is best suited to large companies.
Network Associates Inc.'s PGP Enterprise Security is a closer rival to VeriSign OnSite by virtue of its easy deployment (see PC Week, Sept. 28, Page 91). PGP Enterprise Security has a decentralized infrastructure that distributes the certificate database among users' personal "key rings." Unlike OnSite, PGP can encrypt local files.
PGP (Pretty Good Privacy) certificates do not support the X.509 standard, though, and therefore are not as well suited for e-commerce as VeriSign and Entrust certificates are. However, Network Associates plans to introduce a universal PKI server product this month that will integrate VeriSign OnSite, Entrust/PKI and PGP certificates.
OnSite is less costly than these rivals, at $5,750 per year per 1,000 users ($4,000 per 500 users, minimum), plus a $1,000 provisioning fee. However, optional modules for auto-administration ($20,000), Lightweight Directory Access Protocol integration ($15,000) and application integration ($10,000) bump up the cost. Small organizations may want to buy certificates for $10 each and let VeriSign manage them instead.
A complete Entrust package costs $15,000 for the PKI server software, plus $159 per PKI client, $99 per desktop software user, and more for hardware and facilities. PGP Enterprise Security costs $26,000 per year per 1,000 users.
VeriSign also supplies server certificates for SSL-enabled Web servers. These certificates cost $349 for the first and $249 for subsequent certificates. A similarly priced server version of OnSite can make certification faster for multiple machines by allowing them to be certified locally rather than through VeriSign.
VeriSign's hard to beat
VeriSign's service provides state-of-the-art fault tolerance, redundancy, security and database backup that any organization endeavoring to establish a PKI would be hard-pressed to duplicate. OnSite keeps audit trails to ensure nonrepudiation of certificates, and organizations have instant access to proven software updates without in-house testing. At the same time, company administrators have full control over the certificates assigned to employees.
We installed the OnSite Administrator Kit on a PC running Windows NT Workstation 4.0. The kit included a smart card and a Litronic Inc. reader that must be installed at the administrator's station for added security. This serial device conflicted with the PC's keyboard port, but it could be alternately powered from the mouse port. However, the reader can only be used with Netscape Communications Corp. browsers--not Microsoft Corp.'s Internet Explorer. An IE- capable device is scheduled for release by the end of the year.
The process of filling out a Web-based application, executing a contract with VeriSign, obtaining and installing the reader, having VeriSign check the administrator's credentials and downloading the approved certificate onto the administrator's smart card will take most organizations three to four days. Setting up the configuration for subsequent user certificate information took only 15 minutes over the Internet.
Users simply access VeriSign's URL and apply for their own certificate, entering a small amount of information. The administrator reviews all such requests, approving, rejecting, auditing or revoking certificates.
One weakness for smaller sites is that administrators aren't automatically alerted to certificate requests. We had to periodically check for new requests, which could leave users waiting for hours. However, status e-mail messages are automatically generated between the user and administrator at each stage of the user certification process, so the user's confirmation message can be rerouted to the administrator as a workaround until more robust alerting is supplied.
The alerting problem goes away at larger sites because the volume of requests will dictate checking on schedule. Alternately, companies can install the auto- administration module, which deals with requests automatically through integration with a human resources database.
VeriSign OnSite now allows administrators to set up assistants with specified privileges, such as people who approve or reject certificate requests, configuration administrators, or even help desk personnel with read-only rights for troubleshooting certificate problems. Audit trails are kept on administrators' actions.
Most organizations will use the standard public certificate authority at VeriSign, meaning that the database will link with VeriSign's hierarchy of certificates. Companies whose employees do not have Internet connections, or those that require ultra-privacy, can purchase a private version that keeps a local certificate database but still requires contact with VeriSign for management. This places greater liability on the customer.
It's easy to manage users' certificate requests by browsing VeriSign's Control Center.
PC Week Labs Executive Summary: OnSite 4.0
Organizations that want message encryption and user authentication but don't have the resources to set up an expensive and potentially complicated public-key infrastructure should look into VeriSign's OnSite service. However, it does not include client software, requiring companies to obtain third-party applications for desktop encryption.
Pros: Issues X.509 certificates for e-commerce compatibility; secures e-mail, Web browser sessions and IPSec transmissions; high availability; requires no local server/infrastructure setup; works with standard client applications; low cost per user.
Cons: Does not include client applications; administrator's smart-card reader requires Netscape browser.
USABILITYA
CAPABILITYB
PERFORMANCEB
INTEROPERABILITYB
MANAGEABILITYA
VeriSign Inc., Mountain View, Calif. (650) 961-7500; www.verisign.com/onsite
Scoring methodology: www.pcweek.com/reviews/meth.html
Contributing Editor Ken Phillips can be contacted at kenp@wtp.net.
<<PC Week -- 12-08-98>>
[Copyright 1998, Ziff Wire]
|
