Some tips on implementing public-key infrastructure technology

Today, public-key infrastructure (PKI) — the technology for managing public and private keys and digital identity certificates-is still in its adolescence. The technology has tremendous potential for securing electronic business, budding market demand and promising products, but also suffers from continuing manageability, interoperability and deployment problems.

Adolescent or not, PKI will significantly affect enterprise IS infrastructures. Public-key encryption and digital signature support is now built into e-mail, virtual private networks (VPN) and other software packages. While some packages require a special-purpose PKI, such as Microsoft Certificate Services or Lotus Notes/Domino, many applications can work with general-purpose PKIs designed for multi-vendor and multi-platform environments.

The question is, do you wait until PKI is fully grown, stop all enterprise deployment and risk losing ground to competitors in the brave new electronic business world? Or do you move ahead aggressively and take the smaller risk of getting burned by cost or schedule issues?

If you go ahead with PKI, don’t let too many special-purpose PKIs proliferate. Some of them are hard to scale or don’t incorporate the latest industry standards. And each requires its own policy documents, recovery mechanisms, trust relationships, risk analyses and administration processes. Defining these in a duplicative, inconsistent way can be expensive or downright hazardous to your electronic business health.

Once you decide on a general-purpose PKI, you must determine whether to manage critical PKI components such as certificate authorities internally or outsource the task to a public certificate authority service.

Insourced PKI from vendors such as Entrust Technologies, Baltimore Technologies and Xcert give you greater control of your own destiny. You can set your own certificate and key management policies and engineer your infrastructure to comply with these policies. In addition, insourced PKI products are more feature-rich, and thus more flexible, than outsourced PKI services.

Outsourced PKI services from vendors such as VeriSign, Thawte and GTE also have advantages. Costs and schedules are more predictable because you can leverage existing expertise. You’re subject to the outsourced PKI service provider’s policies, but can gain improved interoperability by joining the provider’s trust network.

Cost is obviously a concern, as well. Insourced PKIs cost less per user than outsourced PKIs, but overall support costs are higher. You will have to issue a significant number of certificates before your insourced PKI investment begins to pay off.

A wise approach may be to get your feet wet with a PKI pilot involving a few users and an outsourced PKI solution. You can then switch to an insourced solution as usage rises.

Blum is senior vice president and principal consultant with The Burton Group, an IT advisory service. He can be reached at