Simplification, not XML, is the Key to PKI Success

In this mean season, it's sad to see our fondest e-business visions

become stale jokes.

Take public-key infrastructure (PKI) technologies. More specifically,

let's take another look at yesteryear's promise of interoperable,

multivendor PKIs as a universal trust and security environment for e-

business. Sure, we have PKI standards galore, and many innovative PKI

products and services. So why has the mass market for PKI-enabled

products never taken off?

PKI's shortcomings are no secret to anyone who has tried to make it all

work together. Chief among them is its complexity: PKI must be greatly

simplified to achieve any degree of universality. In particular,

traditional PKI requires too much application preconfiguration at

browsers, e-mail clients and other desktop applications.

To its credit, the PKI industry is working to simplify its technical

approaches. PKI vendors are developing new architectures that take much

of the processing load off the overburdened client and delegate it back

to the server-side infrastructure. Chief among these are the XML Key

Management Specification (XKMS), and the equally XML-based Security

Assertions Markup Language (SAML), a permission management

infrastructure (PMI) standard being developed under the auspices of the

Organization for the Advancement of Structured Information Standards

(OASIS). Industry standards groups are also debating the merits of

proposed PMI interoperability specifications such as the XML Access

Control Markup Language (XACML).

Unfortunately, these budding, young security standards, in spite of all

their promise, may not make e-business trust infrastructures less

complex to deploy and manage. If we're not careful, we'll simply be

exchanging one complex trust environment (traditional PKI and PMI) for

another (XML-enabled PKI and PMI) at the client and server levels.

At the client level, XKMS -- the most important of the emerging but

still unfinished standards -- will let applications delegate the

retrieval, parsing and validation of X.509 digital certificates to

trusted servers, thereby reducing the PKI-enabled business logic that

must be installed on clients. However, XKMS will require retrofitting

clients to support new standards such as Simple Object Access Protocol

(SOAP) and Web Services Description Language.

Adding to the potential for complexity, XKMS and SAML, if implemented

together, will expand the range of trust servers that must

interoperate. XKMS defines two principal new infrastructure components,

Registration Servers and Assertion Servers, which support all

traditional PKI functions but do so through exchange of standardized

XML-based messages. Likewise, the SAML framework will enable standards-

based authentication and authorization through XML messaging among such

new infrastructure components as Authentication, Session and Attribute


Ratcheting the complexities up further, the proposed XML standards

won't necessarily blow traditional PKI and PMI architectures out of the

water. It's very likely that the XKMS and SAML worlds will need to

interoperate with legacy PKI and PMI infrastructures through adapters

and gateways for such purposes as registering and validating X.509

public-key certificates.

The new XML-based security standards are on the right track. It's a

given that XML-based application-to-application messaging andd

digitally signed trust assertions will be important features of next-

generation PKI and PMI environments. But the standards development

efforts among XKMS, SAML and other leading initiatives have not been

well-coordinated. The industry should, above all else, consolidate

development of XML PKI and PMI standards under a single organizational

umbrella, rather than continue to triangulate among the Internet

Engineering Task Force, World Wide Web Consortium and OASIS. We also

need stable, open source reference implementations of these next-

generation PKI and PMI standards to jump-start widespread

implementation and interoperability.

Most important, we need radical simplicity of PKI and PMI configuration

at the client level. This stuff has to be cheap and easy to set up and

manage on the desktop, laptop and palmtop. Otherwise, it won't succeed

in the mass market. We've seen too many 1990s visions stumble on the

doorstep to the new millennium.

This story, "Simplification, not XML, is the Key to PKI Success" was originally published by ITworld.

Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon