'n' Pieces Of The Networked World
week I had a chance to attend the PKI forum convention
at San Jose, and lend my ears to some sessions, and
chip in with a few suggestions of my own.
For somebody who has been in the Internetworking industry
for sometime, it is easy to get some feelers on the
direction a particular product, company or technology
is taking, especially if it is within one's own line
of business. The last one-technology--is somewhat
more critical than products or companies, since a
key technology can prove to be a prime mover and in
the process spawn off new industry segments and create
technical offsprings, so to say. We've seen that in
the last decade or so, when core technologies like
Java and Windows 95 (on the software side), and the
PCI/USB buses on the interfaces side, the PDA revolution,
and more recently WAP--all have managed to create
an impact and build momentum across industry segments.
There are a host of others, all having sufficient
traction to revolutionize information technology in
pockets or as a whole.
Early indicators point towards Public Key Infrastructure
(PKI) moving into this category of market prime movers.
I say early because there is a lot of work that is
to be done in this area. But the reason I would want
to slot it into this category is because of the sheer
potential that PKI seems to have in the future.
PKI Overview And Components
Even though it is an emerging technology, with
not much of an installed base, PKI has been sufficiently
abused, and there is no dearth of information on the
topic. So I will not go into defining PKI again. But
it is necessary to point out that unlike what some
people believe, it is not one protocol or standard
that people need to conform to, but rather a whole
set of services. Its components include digital certificates,
Certificate Authorities (or CAs), Registration Authorities
(RAs), security-enabled applications, databases and
Lightweight Directory Access Protocol (LDAP) directories,
etc, amongst others.
In other words, PKI is a combination of enabling technologies
and practices that offers users a way to significantly
enhance their security. It also helps in protecting,
identifying, transacting and providing privacy on
internal and public records. Different implementations
might require having subsets of the whole set of services,
depending on their need.
Barriers To Deployment
PKI has been doing the rounds of IT magazines,
and there are articles published on it every now and
then. But when it comes to actual deployment, the
scene has been laid back. The reason? The usual story-lack
of standards. The cost of implementation has also
been prohibitive. Then again there is the risk factor
of it being an emerging technology. With considerably
high investments required, service providers are hesitant
to offer a managed PKI service as part of their portfolio.
PKI is supposed to be a simple concept, but a complex
technology (ironically, most people do not understand
PKI, beyond the acronym). And of course, there are
the interoperability issues to be considered.
But all this is changing. I see requests for PKI support
becoming a key part of many Request for Proposals
(RFPs) that are being generated today, and it is picking
up considerable momentum in Europe, where the carriers
are more mature when it comes to technology, whether
it be the strides in the wireless market, or security.
The Europeans have managed to pull ahead in both the
areas, and it is the Americans who need to do the
catching up now.
Where do we stand now in the PKI cycle? The Gartner
group presents an interesting analysis of the "PKI
Hype Cycle" as it is called. (See Figure 1.0).
While there has been a slow growth in the last few
years since the 1994 RSA conference that brought some
of the industry leaders together, it seems to be accelerating
now. Banks and financial institutions have been the
early adopters of PKI, and so far have used little
outsourcing of their operations to service providers.
Their interactions have been directly with vendors
and consultants. But moving forward, managed service
providers are going to play a major role with their
PKI services offering.
Yet again, there would be a second PKI Hype Cycle,
comprising of various offshoots, like Wireless PKI,
XML PKI, Roaming PKI, Win2K PKI all of which would
gradually move from being emerging technologies into
stable, mature ones. These would be tightly integrated
with applications as more vendors jump into the fray,
and the implementation requirements get variety.
The question that many ask is, with the bust in Internet
companies, is the e-business applications phenomenon
relevant any more? Contrary to what is believed, e-business
applications are on the rise, and the number of online
transactions is ever increasing. There is a dire need
for greater online privacy, and a tighter security
mechanism for all applications. A significant element
of online trading is to be able to carry out transactions
confidentially, and "bind" the resultant
deal. This may involve some sort of a trusted secondary
verification, in the form of a handshake, or by signed
and witnessed documents. In time the legal and regulatory
framework needs to be adapted to suit electronic advances,
and existing electronic laws (like the Digital signatures
law) need to be more clearly defined. The Digital
signature law authorizes electronic signatures, but
fails to define it in terms of its scope and legal
aspects. So till these are sorted out, the current
laws will persevere, and there will always be ambiguity,
The legal aspects have been one reason why PKI has
not been able to take off rapidly and vendors are
not converging, though the last 8-12 months have seen
some changes. It is a chicken-and-egg scenario. Does
one wait for the standards and laws before implementing
or furthering development, or does one heed market
needs and move ahead? For now, it seems to be a case
of the latter, where the demand for even basic PKI,
even at a basic level, (and for the need of a suitable
alternative) is going to drive standards and interoperability,
than the other way round.
We've seen Virtual Private Networks (VPNs), Internet
encrypted mail, e-commerce, and secure Web communication
related applications making a bid for PKI-based services.
The Internet Engineering Task Force (IETF) has also
made considerable progress over the last year, though
non-IETF bodies such as the PKI forum, moved away
from being an open forum, making more headway. The
definitions for VPNs, secure e-mail, secure network
sessions, and PKIX have advanced from draft stages
to being standard track documents. The Internet draft
on the X.509 Public Key Infrastructure roadmap is
available at http://www.imc.org/draft-ietf-pkix-roadmap.
In India things are picking up. I had written about
the digital signature laws that are being framed in
India in one of my previous columns. These should
provide some momentum. Likewise I would envision the
concept of smart cards and wireless handhelds also
providing some thrust. Online trading could be a big
event in India as well. As security concerns grow,
and revenue opportunity presents itself, the service
providers will have to add these services to their
portfolio. So there is work going on in India as well,
and some of the large ISPs must at least have a preliminary
roadmap for it. (See Figure 2.0 for some of the key
events, which could fuel the growth of PKI deployment
on a global scale.) The interesting aspect is that
it will take some time for wireless applications to
catch up, as opposed to wired applications, but they
will act to accelerate the trend.
Not surprisingly quiet a few Indian companies have
jumped onto the bandwagon, and some already have offerings
on the plate. Chennai-based Odyssey technologies (http://www.odysseytec.
com) made a presence in the PKI forum. Surprisingly,
it is a Principal Member as well. It is an expensive
proposition to be a principal member, and only companies
that have an interest to drive activities from an
executive board perspective would consider such an
investment. That is a good sign, and we might see
some action from Odyssey, which seems to have taken
an early lead with its PKI products comprising of
the CERTRIX certification server, the CERTRIX-R registration
server and the CRYPTOMAGIC toolkits.
Other companies like Bangalore-based Datanet Systems
(http://www. datanetsystemsltd.com), has developed
a PKI-based security software called BPRO/SS. The
company is focusing on electronic banking solutions,
and it should be interesting to see its growth in
this vertical. Yet another organization, that seems
to have a PKI focus is the Mumbai-based MIEL e-Security
Pvt. Ltd. (http://www.mielesecurity.com) that aims
to "e-Secure India".
Clearly India is sensing the security opportunity,
and with its inherent readiness when it comes to developing
software-based applications, there seems to be no
reason why these companies should not succeed provide
they position and price their products effectively,
and have a feature-set that matches global requirements.
Others like the IT giant Wipro, while not necessarily
having a strong PKI offering, does have an intellectual
base, and market muscle to get ahead despite a late
entry. Currently it has a strong security portfolio
with its Websecure program (http://www.wipro. com/
wiprowebsecure) and is providing a customizable framework
that can be adapted to provide security for Web-based
While major Indian banks would no doubt adopt any
initiatives toward e-commerce, the smaller banks and
financial institutions need to get their people trained,
and recruit a security consultant, to help strategize
for the next few years. These migrations take time,
and with security, one might not get a second chance.
Even if they do not deploy PKI and related technologies
immediately (which is not entirely advisable), banks
should have a "proof-of-concept" lab, where
these technologies can be tested given the framework
of their own environment and requirements. It would
then make the migration path much easier. Alternatively,
if a vendor independent company decides to construct
such a center and lease it out to banks to where they
could build prototypes and experiment, that could
prove to be a good business proposition.
I have deliberately not gone into the technology
intricacies of PKI since I feared it might prove repetitive
with many a magazine espousing it. I would write about
it some other time, when I find information that is
not so readily available. For the academic, here are
some resources that could prove useful -
3. www.state.ma.us/itd/legal/ pki.htm NM
Shashi Kiran works for Nortel Networks at Santa Clara,
as a Product Manager. The views expressed are his
own, and not that of the organization.
He can be reached at email@example.com