Customer Reviews

PKI : A Wiley Tech Brief

5 star:		(8)
4 star:		(0)
3 star:		(0)
2 star:		(1)
1 star:		(2)

 

 

I think that Austin's Book, a PKI primer is the right book at the right time. It's a good introduction to the whole field of PKI with a great deal of breadth. I wish it had been written three years ago when I first started thinking about implementing PKI. (Full disclosure note: My company was one of the ones profiled in the book, but I hadn't seen any of the text of the book until its publication).

It's divided into five parts: Security Basics, PKI Technologies, PKI and Business Issues, Case Studies, and PKI Efforts Present and future. There are a total of 20 chapters spread out among those parts. The chapters in the first two parts are especially clear and offer a great introduction to this still new technology. The diagrams help the text and the text explain well what, in the end, are difficult concepts for the average business manager, even a technical one in charge of IT projects, to understand.

At the same time, the inclusion of the non-technological, but organizational related issues such as Certificate Practice Statements, evaluting vendor proposals, PKI audits, and others, rounds out the PKI "big picture". Like most technologies that need to work in the real business world. just buying a PKI solution from a vendor won't even begin to help you if you are not aware of organizational, legal, and implementation issues. From a business perspective, I found the "Vendor Evaluation Matrix" and the inclusion of a sample Request for Proposal(RFP) especially helpful.

Also helpful were the references to the current standard work being done by Internet Engineering Task Force (IETF) and the different European regulatory bodies.

One minor quibble: the book lists seven "contributors" but does not state who wrote which chapter or section. I hope that this will be corrected in a future edition.

If you want to get a very good grounding in PKI and the issues surrounding deploying it, or to answer the question of why you would even want deploy PKI, this book is a very good one to add to your knowledge arsenal. If or as you go implementing your own PKI solution, this book will be a handy "project check list" as well.

I bought this book because the Amazon description said it "explains PKIs at a level that's appropriate for experienced network administrators and security specialists who haven't looked into PKI technologies in a systematic way before." In this review you will see that I disagree with this statement.

Let's start with Chapter 1: PKI Explained. The author states "So then, why PKI? Because PKI is a technology that can provide the infrastructure, the controls, and the underlying security services necessary to support the requirements business executives now face." Does this statement mean anything? Like many of the generalizations in the book, no it does not, but there are 3 things we can learn from it. 1) Who is REALLY the intended target of the book. 2) The technical level from which this book is starting. 3) That the author has no intention of separating the PKI hype from PKI reality. (For this, turn your attention to Bruce Scheier's recent writings.)

Moving on to chapter 3: "Securing the Environment for PKI" it explains the basics of security planning. Please note this is the BASICS; in fact, all decent network administrators will be more than familiar with all the concepts here. For 3 pages it describes security as analogous with a castle, and even provides us with a picture of a castle, complete with door guards and horse mounted knights. This analogy, as with most in the book, was not helpful.

I could go on with through every chapter, but I think you should get the point by now. I am the head of infrastructure for a financial firm that is mandated to roll out a PKI solution, and I was looking for a book that describes in the real world what the PKI really does, what it really doesn't do, and what are the real issues. Although the book dances around this in various ways, the technical level is too shallow and the analogies are too disruptive to accomplish this in a satisfying way. I will continue to look around for other sources.

I give it 2 stars for some good case studies.

This is a complete and comprehensive look at PKI technology and its application. It was understandable and readable without being overly simplified. The many diagrams were helpful in illustrating the principles outlined in the text. Mr. Austin and those that assisted him have done an excellent job.

It is difficult to write a book for a technical as well as a business audience. Tom Austin has accomplished this task in his book PKI. Rather than simply present an in-depth technical discussion, Austin brings the technical arguements to a business audience and, for the technical audience, an overview of PKI technology and the business case for such an approach.

The book has five major sections. Security Basics places PKI within a larger information system security framework, introducing central concepts of cryptography and related functions. PKI Technologies examines the fundamentals of the PKI approach, including certificate authorities and hardware mechanisms. The PKI and Business Issues section cover a range of issues, such as acquiring PKI and enabling legacy applications. Then he presents Case Studies, where he shows how several large organizations (Bank of Bermuda, Perot Systems, Idaho National Engineering and Environmental Laboratory, U.S. Patent and Trademark Office and Reusch) made their business decisions in support of PKI and the implementation of PKI solutions. In his final chapter, PKI Efforts: Present and Future, the author discusses laws and standards as well as biometrics and PKI.

I plan to recommend this book to my consulting clients and those who wish to better understand the importance of PKI. If Tom Austin's book is an example of the Wiley Tech Brief series, I look forward to reading their other offerings.

Sanford Sherizen, Ph.D., CISSP

I'm researching on PKI for my PhD in Information Systems. This means I have read the whole range of books on this subject. Without mentioning names, many of these books are either too generalist or too brief on key issues to make sense. That's why I'm sure Tom's book is simply the best out there on the subject. It is extremely hard to balance the needs of some techies who just want to copy and paste lines of code and business people who want to know nothing about the technical side. Tom has done this job magnificiently. My view is that if PKI is to be elevated from the pilot schemes that number about 70% of all adopters of the technology, we need books like Tom's that cover the subject without the usual fascination with keys. Therefore, if you want to get the big picture about PKI - with a tinge of technology and business - get this book quick!!

Part of my job at an Internet security company is educating prospective customers on the mysteries of Public Key Infrastructure. I know from speaking to hundreds of customers that this is a technology that is foreign to many. In this book, Tom Austin does an excellent job describing, with good examples, each of the fundamental areas of PKI. Along with the well-written text, the book is richly illustrated and will clearly help the reader acquire a firm grasp of PKI. I'd like to leave a copy of this book with each of my prospective customers.

I must say that this book was the right book at the right time for me. After (re)-searching for some time for a book on PKI and finding really not much that could make the subject clear without being readable only by people who are already deploying, developing, or using PKI based solutions, i.e. the book starts on the ground floor; what is it all about, why do I care, and how can I plan for PKI. This book was an easy read on an increasingly important subject, its illustrations worked well for me, and the level of depth for a technical but first time reader on the subject was more than adequate. It is a PKI Brief not a PKI Bible and prospective buyers should keep this in mind. I bought 5 additional copies for managers and technologists in my company to get them started on the subject and to ground future discussion on the subject. Well-done Mr. Austin. I am looking forward to your next tech brief.

Tom Austin's PKI book admirably fills a real void for those attempting to understand the acquisition and deployment of PKI. This book addresses many of the business questions that those tasked with building business cases must deal with. The inclusion of business case examples, as well as providing a framework for determining the business costs of deploying PKI, differentiate this PKI books from most others. It does all of this while also providing a good overview of the technology.

It is well written - clear, easy to understand and systematic in its treatment of a complex subject.

An excellent teatise.

A most disappointing book.

I am an IT Professional who has worked in the industry for over fifteen years and recently moved from applications development into an infrastructure role involving PKI deployment.

I bought this book to understand the major issues but found the explanations to be shallow and incomplete.

I would particularly like somebody to explain the "Key Components" section on page 41. Why is an XOR used (rather than any other logical operation)? What is the meaning of the example involving Alice, Bob, Chris and Dan?

I feel that in trying to "simplify" the subject Mr Austin has "dumbed-down" certain concepts so much that the educated reader is unable to make sense of them. I am now halfway through the book and it does not get any better. I am also not happy with the style of writing; it does not seem to flow well and I find myself having to read passages repeatedly to extract their meaning. There must be better PKI books on the market than this one.

I am a software developer looking for a quick introduction before I get deep into the guts of PKI systems. This book does provide such an introduction, but you have to be very patient to get it. Mr. Austin hops around from subject to subject, introducing new ideas in the middle of a completely unrelated section. He will begin a paragraph with "in summary" and then move promptly on to throwing out concepts that he neither defines nor uses.

Mr. Austin seems to be working very hard to keep the book relatively non-technical, so that anybody can understand it. Unfortunately, he seems to like tossing in technical concepts, explaning part of what they mean, and then moving on without using them. His examples are generally so non-technical that they are mostly worthless, while so poorly contrived that they still don't make any sense.

This book might be a valuable resource if someone spent time reorganizing it, editing the grammar, and cleaning up the examples. Until then, however, I recommend you find something else. I'm certainly going to.