Customer Reviews

Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure

5 star:		(10)
4 star:		(1)
3 star:		(1)
2 star:		(1)
1 star:		(0)

 

 

I have found that an unscientific--albeit effective--way to gauge the success of an idea or technology is to do a search on the subject at Amazon.com and see how many returns you get. For diet, there are well over 15,000 titles. For PKI (public key infrastructure), there are exactly four.

While there are nearly 4,000 times as many books about dieting as there are books about PKI, the similarities between the two subjects are interesting. Both dieting and PKI are often difficult to do right, but when they are done correctly, the positive effects are immense.

In a nutshell, a PKI is a set of technologies that enables users of inherently insecure networks and software applications (i.e., the Internet and browsers) to exchange data and perform transactions securely and privately. In a PKI, each user has a set of cryptographic keys comprised of a public-key and a private-key. A PKI also enables the use of a digital certificate that can be used to identify items such as individual end users, host systems, organizations, and directory services. PKI is based on public key cryptography, which is the most common method used to authenticate the sender of a message, or to encrypt that message.

A PKI establishes digital trust and maintains that level of assurance. In the real world, trust is built through a complex web of social, legal, national, international, and business interactions that may take years or decades to develop. Unfortunately, that same level of trust is much harder to implement in the electronic world.

With that in mind, Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure provides a thorough technical introduction to the workings of PKI. Those wanting a less technical and more managerial approach should read PKI: Implementing & Managing E-Security by Andrew Nash.

The reason that PKI is so important is that information security is often the most fundamental need for today's businesses and e-commerce sites. There is hardly a Fortune 500 company without some type of external public connection, and given that more than 95% of the hosts on the Internet are running TCP/IP version 4 (with no inherent security), these systems are built and running on an insecure infrastructure. Such a reality is a scary thought.

The book is well organized into six sections. The first three chapters cover the basics and rudiments of security, cryptography, and PKI. Fortunately, the authors accomplish this by page 43. One of my personal gripes against many information security books is that they spend way too much time rehashing security basics, while not getting to the subject title until halfway through the book.

Section Two includes seven chapters detailing the different PKI components, protocols, architectures, and uses of digital certificates. Many of those considering PKI do not always realize that the "I" in PKI is infrastructure. Without a well-thought out and tested architecture and methodology, a PKI is nearly sure to fail. Getting the initial PKI software rolled out is often not an easy endeavor. Getting those pieces to work effectively in a distributed infrastructure takes an immense amount of planning and work. Section Two details ways to ensure that a PKI is well built, so that it does not collapse like a poorly designed building.

Chapter 12, "Policies, Procedures and PKI," is one of the most important chapters in the book, in that a PKI comprises much more than simply its underlying software. The book astutely notes that the technical mechanisms of a PKI are insufficient on their own, as they must be used in combination with a set of procedures to implement a particular corporate security policy.

The need for policy can't be over-emphasized, as it is a critical element in the effective and successful operation of a PKI. A PKI can't be effective unless it is deployed in the context of working policies that govern the use, administration, and management of certificates. In a similar vein, noted security guru Marcus Ranum defines a firewall as "the implementation of your Internet security policy. If you haven't got a security policy, you haven't got a firewall. Instead, you've got a thing that's sort of doing something, but you don't know what it's trying to do because no one has told you what it should do". So, too, with a PKI; if there are no policies to determine its appropriate use, inertia states that it will not be used properly.

Rather than being an abstract and dry guide, Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure concludes with some real-world examples of PKI rollouts. By learning how the three large PKI projects were implemented, readers can benefit from the lessons learned, so that they will not make the same (often common) mistakes.

Rather than being an abstract academic text, the authors, Russ Housley and Tim Polk, write from years of practical experience. Housley is the Chief Scientist for Spyrus, and Polk is the technical lead for PKI at NIST.

This review of mine originally appeared at ..../articles/2001/0104/0104m/0104m.htm

At a little over 300 pages, Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure is a valuable reference to the workings of PKI.

Housley and Polk's "Planning for PKI" is an excellent reference for a variety of readers.

Novices to PKI will gain an understanding of the many issues that exist in deploying and employing a PKI. The book makes no assumption about the reader's technical knowledge level, providing a brief introduction to the underlying cryptography, policy issues, and motivation for the use of PKI.

Planners and system architects will learn about the crucial points that make the difference between a successful deployment of a PKI and one that only yields many lessons learned. In fact, "Planning for PKI" gives several concrete examples of existing PKI deployments and lists the lessons learned from those deployments. This is a real advantage for future deployments, allowing much time to be saved. The lessons learned alone are worth more than the price of the book.

Software developers will also find this book useful. In a single volume, it gathers the authors extensive knowledge of the PKI standards development in the IETF and elsewhere. Many subtle points about the PKIX RFCs are liberally sprinkled throughout the book. These nuggets provide insight into the intent of some of the esoteric topics in the RFCs and can assist the developer in producing an interoperable product or deployment.

The language used in the book is plain and direct. Where useful, simple diagrams and ASN.1 fragments are given. The ASN.1 fragments are well-annotated so that an understanding of ASN.1 is not required to comprehend what is being presented. (And for those interested in ASN.1, there is a brief primer in the back of the book.)

The real value of the book is the succinct (relative to the actual PKI standards and body of literature) gathering of the current state-of-the art in PKI into one tome. It covers the gamut from PKI history to future developments. Appropriate and accessible to a wide range of readers, "Planning for PKI" gets my hearty endorsement.

Planning for PKI is without doubt the Class of all books related to PKI. The authors have done a marvelous job of creating a book that walks the fine line of being interesting to senior management as well as Engineers.

For the CIO, it provides wonderful examples of how PKI can benefit your organization.

For engineers and techies that it provides the nuts and bolts of Public Key Infrastructure, (CP and CPS development, public key encryption ,Architecture, CRLs, Cross Certification, Applications, etc.)

It is truely a credit to the authors, and I would recommend it to anyone who has even the smallest bit of interest in PKI.

This is a great book for those of us who are NOT PKI development engineers. I learned a lot from this book; the authors, Russ Housley and Tim Polk, were able to present technical material in a way that was completely understandable to non-technical people who are interested in Internet and computer security issues. The Appendix on ASN.1, for example, clarified structures for me. As a policy person, I particularly enjoyed the Chapter on PKI Policy, thought it well written, succinct, and right on target. Since I read this book, I have referenced it in presentations and papers on the subject. Great work!

I agree with the bulk of what has been said above about the scope and depth of this book. I bought this book after becoming irritated with the lack of information on PKI best practices for Microsoft Technologies. Specifically, I was confused about how to intergrate an Enterprise CA with a Root CA such as Verisign. Now I have a pretty good idea about the best way to go about this.

In some of the later chapters there are some in depth example of the Federal Government and Power Utilities implementing PKI. One of the persistent 'Lessons Learned' was to use 509v3 Certificates. Most of the examples didn't use them, at least not exclusivly. This beggs the qeustion why. In their own way the authors tell you in the conclusions. 'The field is very young.' Given the author is 'basically the man' when it comes to PKI infrastructures and the organizations putting in PKI are Powercompanies, Military, and Government (people who should really, really, be concerned about having non-authorized use of their systems) one has to wonder how many regular type organizations are really interested in getting themselves in the middle of this rapidly changing technology.

I can say after reading this book my feelings about implementing PKI have shifted very much towards not doing it. If you are considering implementing PKI, I would highly reccomend you read this book and think about the real ramifications of doing so.

Finally! A resource that offers real assistance for the enterprise IT manager. Whether simply contemplating a PKI system and needing to understand the fundamentals or actually planning for a role-out, the authors have provided insight that comes only with having spent many, many years designing and developing information security systems for the most demanding of consumers. This is not marketing or sales hype and does not promote a particular vendor, rather it offers valuable insight and subtle considerations in making critical tradeoffs and decisions about PKI details that must be understood if you intend to actually employ such a system. Building a successful PKI is an on going process, it is not a turn key event. Once this is understood, the reader can learn much about PKI components and the subtle differences between them and how they can operate together, or not. Any senior IT leader should have this book on their shelf as a key reference document. Highly recommended. Ed Hart.

If you have just started working with PKI software or with OpenSSL and would like to gain a better understanding of X.509 certificates, certificate enrollment protocols and PKI, this book is for you. It's an excellent guide written by two of the co-authors of the "Internet X.509 Public Key Infrastructure: Certificate and Certificate Revocation List (CRL) Profile" (RFC 3280).

The authors are the main editors of the current PKIX documents, which are the foundations for PKI work in Internet protocols. They know their stuff, and they write well.

The book also gives good examples of using PKI in real systems, such as S/MIME electronic mail and VPNs. If you need to come up to speed on PKI, this book is by far the best available today.

WOW, this goes into some great detail. I am new to PKI, but this has really opened up my eyes to some of the more exquisite details. Great for anyone interested in PKI, but you do need to have some knowledge on Cryptography.

While Planning for PKI is a well written book, after reading I still am not sure how it all fits together. I bought the book to learn more about PKI and chose this book because previous references rated this as the best book available on PKI. After reading this book I know a little more about PKI, but this book did not "de-mistify" PKI for me.