Glossary

Public Key Infrastructure (PKI)

Public Key, or more accurately, asymmetric-key cryptography using X.509 certificates, is gaining acceptance as an authentication technology. In the Public Key model, certificates, which bind an individual to an identity, are registered with, and signed by, a trusted third party, the Certificate Authority (CA). As with any trusted third party system, the CA must be trusted by all parties involved.

While Public Key credentials, in the form of certificates and public-private key pairs, satisfy requirements for strong, distributed authentication, the credentials are cumbersome and require additional resources for a broad-based solution. The private key, which is the most important secret possessed by an individual, runs to hundreds or thousands of bits in length. Thus, a persistent storage system is required to hold the private key, and access to this storage must be protected using a more mundane and conventional mechanism, such as a PIN or password.

Conventional approaches to Public Key suffer from lack of tools and techniques for managing client credentials. Smart cards hold some promise for solving the problem of secure and mobile private key storage. However, this technology is still relatively new and expensive. The most costly part of the solution being not the cards, but the requirement that smart card readers be widely deployed. Lower cost solutions, which store the credentials on a local (e.g., workstation) disk file, suffer from mobility or security constraints. Conventional Public Key approaches also use credentials that are typically issued with a lifetime of months or years. Revocation of those credentials is still a problem, and scaleable and efficient solutions are not yet widely deployed.

Within the enterprise, client credential management problems have limited Public Key to a few selected applications. However, due to its ability to provide authentication without the prior establishment of a shared secret (e.g., a password) between the parties in a transaction, it has gained popularity in extranet-type applications. Although it has seen limited use due to client credential management problems, virtually all web clients and browsers are capable of Public Key authentication—an unfortunate and ironic situation. Also, a number of VPNs and e-mail applications also support Public Key. In some cases, such as VPNs, it is typical for the vendor to embed a single-purpose CA into their product. This is in part due to movement towards IPSec in the VPN area.

The application of Public Key for authentication and access control could provide significant benefits, if the client credential management problems can be solved. For example, secure web single sign-on is very feasible if we assume that all clients have Public Key credentials. The ability to transparently establish secure and authenticated VPNs would be greatly simplified if we assume that all clients have Public Key credentials.