About Us

Home >In A Netshell > Full Story

Bits 'n' Pieces Of The Networked World

Last week I had a chance to attend the PKI forum convention at San Jose, and lend my ears to some sessions, and chip in with a few suggestions of my own.

For somebody who has been in the Internetworking industry for sometime, it is easy to get some feelers on the direction a particular product, company or technology is taking, especially if it is within one's own line of business. The last one-technology--is somewhat more critical than products or companies, since a key technology can prove to be a prime mover and in the process spawn off new industry segments and create technical offsprings, so to say. We've seen that in the last decade or so, when core technologies like Java and Windows 95 (on the software side), and the PCI/USB buses on the interfaces side, the PDA revolution, and more recently WAP--all have managed to create an impact and build momentum across industry segments. There are a host of others, all having sufficient traction to revolutionize information technology in pockets or as a whole.

Early indicators point towards Public Key Infrastructure (PKI) moving into this category of market prime movers. I say early because there is a lot of work that is to be done in this area. But the reason I would want to slot it into this category is because of the sheer potential that PKI seems to have in the future.

PKI Overview And Components
Even though it is an emerging technology, with not much of an installed base, PKI has been sufficiently abused, and there is no dearth of information on the topic. So I will not go into defining PKI again. But it is necessary to point out that unlike what some people believe, it is not one protocol or standard that people need to conform to, but rather a whole set of services. Its components include digital certificates, Certificate Authorities (or CAs), Registration Authorities (RAs), security-enabled applications, databases and Lightweight Directory Access Protocol (LDAP) directories, etc, amongst others.

In other words, PKI is a combination of enabling technologies and practices that offers users a way to significantly enhance their security. It also helps in protecting, identifying, transacting and providing privacy on internal and public records. Different implementations might require having subsets of the whole set of services, depending on their need.

Barriers To Deployment
PKI has been doing the rounds of IT magazines, and there are articles published on it every now and then. But when it comes to actual deployment, the scene has been laid back. The reason? The usual story-lack of standards. The cost of implementation has also been prohibitive. Then again there is the risk factor of it being an emerging technology. With considerably high investments required, service providers are hesitant to offer a managed PKI service as part of their portfolio. PKI is supposed to be a simple concept, but a complex technology (ironically, most people do not understand PKI, beyond the acronym). And of course, there are the interoperability issues to be considered.

But all this is changing. I see requests for PKI support becoming a key part of many Request for Proposals (RFPs) that are being generated today, and it is picking up considerable momentum in Europe, where the carriers are more mature when it comes to technology, whether it be the strides in the wireless market, or security. The Europeans have managed to pull ahead in both the areas, and it is the Americans who need to do the catching up now.

The Hype Cycle
Where do we stand now in the PKI cycle? The Gartner group presents an interesting analysis of the "PKI Hype Cycle" as it is called. (See Figure 1.0). While there has been a slow growth in the last few years since the 1994 RSA conference that brought some of the industry leaders together, it seems to be accelerating now. Banks and financial institutions have been the early adopters of PKI, and so far have used little outsourcing of their operations to service providers. Their interactions have been directly with vendors and consultants. But moving forward, managed service providers are going to play a major role with their PKI services offering.

Yet again, there would be a second PKI Hype Cycle, comprising of various offshoots, like Wireless PKI, XML PKI, Roaming PKI, Win2K PKI all of which would gradually move from being emerging technologies into stable, mature ones. These would be tightly integrated with applications as more vendors jump into the fray, and the implementation requirements get variety.

The question that many ask is, with the bust in Internet companies, is the e-business applications phenomenon relevant any more? Contrary to what is believed, e-business applications are on the rise, and the number of online transactions is ever increasing. There is a dire need for greater online privacy, and a tighter security mechanism for all applications. A significant element of online trading is to be able to carry out transactions confidentially, and "bind" the resultant deal. This may involve some sort of a trusted secondary verification, in the form of a handshake, or by signed and witnessed documents. In time the legal and regulatory framework needs to be adapted to suit electronic advances, and existing electronic laws (like the Digital signatures law) need to be more clearly defined. The Digital signature law authorizes electronic signatures, but fails to define it in terms of its scope and legal aspects. So till these are sorted out, the current laws will persevere, and there will always be ambiguity, affecting interoperability.

The legal aspects have been one reason why PKI has not been able to take off rapidly and vendors are not converging, though the last 8-12 months have seen some changes. It is a chicken-and-egg scenario. Does one wait for the standards and laws before implementing or furthering development, or does one heed market needs and move ahead? For now, it seems to be a case of the latter, where the demand for even basic PKI, even at a basic level, (and for the need of a suitable alternative) is going to drive standards and interoperability, than the other way round.

Recent Advances
We've seen Virtual Private Networks (VPNs), Internet encrypted mail, e-commerce, and secure Web communication related applications making a bid for PKI-based services. The Internet Engineering Task Force (IETF) has also made considerable progress over the last year, though non-IETF bodies such as the PKI forum, moved away from being an open forum, making more headway. The definitions for VPNs, secure e-mail, secure network sessions, and PKIX have advanced from draft stages to being standard track documents. The Internet draft on the X.509 Public Key Infrastructure roadmap is available at http://www.imc.org/draft-ietf-pkix-roadmap.

In India things are picking up. I had written about the digital signature laws that are being framed in India in one of my previous columns. These should provide some momentum. Likewise I would envision the concept of smart cards and wireless handhelds also providing some thrust. Online trading could be a big event in India as well. As security concerns grow, and revenue opportunity presents itself, the service providers will have to add these services to their portfolio. So there is work going on in India as well, and some of the large ISPs must at least have a preliminary roadmap for it. (See Figure 2.0 for some of the key events, which could fuel the growth of PKI deployment on a global scale.) The interesting aspect is that it will take some time for wireless applications to catch up, as opposed to wired applications, but they will act to accelerate the trend.

The Indian Bandwagon
Not surprisingly quiet a few Indian companies have jumped onto the bandwagon, and some already have offerings on the plate. Chennai-based Odyssey technologies (http://www.odysseytec. com) made a presence in the PKI forum. Surprisingly, it is a Principal Member as well. It is an expensive proposition to be a principal member, and only companies that have an interest to drive activities from an executive board perspective would consider such an investment. That is a good sign, and we might see some action from Odyssey, which seems to have taken an early lead with its PKI products comprising of the CERTRIX certification server, the CERTRIX-R registration server and the CRYPTOMAGIC toolkits.

Other companies like Bangalore-based Datanet Systems (http://www. datanetsystemsltd.com), has developed a PKI-based security software called BPRO/SS. The company is focusing on electronic banking solutions, and it should be interesting to see its growth in this vertical. Yet another organization, that seems to have a PKI focus is the Mumbai-based MIEL e-Security Pvt. Ltd. (http://www.mielesecurity.com) that aims to "e-Secure India".

Clearly India is sensing the security opportunity, and with its inherent readiness when it comes to developing software-based applications, there seems to be no reason why these companies should not succeed provide they position and price their products effectively, and have a feature-set that matches global requirements. Others like the IT giant Wipro, while not necessarily having a strong PKI offering, does have an intellectual base, and market muscle to get ahead despite a late entry. Currently it has a strong security portfolio with its Websecure program (http://www.wipro. com/ wiprowebsecure) and is providing a customizable framework that can be adapted to provide security for Web-based features.

While major Indian banks would no doubt adopt any initiatives toward e-commerce, the smaller banks and financial institutions need to get their people trained, and recruit a security consultant, to help strategize for the next few years. These migrations take time, and with security, one might not get a second chance. Even if they do not deploy PKI and related technologies immediately (which is not entirely advisable), banks should have a "proof-of-concept" lab, where these technologies can be tested given the framework of their own environment and requirements. It would then make the migration path much easier. Alternatively, if a vendor independent company decides to construct such a center and lease it out to banks to where they could build prototypes and experiment, that could prove to be a good business proposition.

Useful Links
I have deliberately not gone into the technology intricacies of PKI since I feared it might prove repetitive with many a magazine espousing it. I would write about it some other time, when I find information that is not so readily available. For the academic, here are some resources that could prove useful -

1. www.pkiforum.org/resources
2. www.pki-page.org
3. www.state.ma.us/itd/legal/ pki.htm NM

N. Shashi Kiran works for Nortel Networks at Santa Clara, as a Product Manager. The views expressed are his own, and not that of the organization.
He can be reached at shashikiran_n@hotmail.com

- <Back to Top>-  

Copyright 2001: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by The Business Publications Division of the Indian Express Group of Newspapers. Site managed by BPD