E-business standards group OASIS (Organization for the Advancement of Structured Information Standards) last month developed a comprehensive adoption blueprint for Public Key Infrastructure (PKI) technology.
Security vendors have long touted PKI technology (which uses digital certificates to authenticate e-mail, individual and enterprise transactions) as the answer to most network computer problems. PKI takes a systematic approach to information security. The technology represents a cohesive infrastructure approach to security, instead of addressing security service needs individually. But the technology has been hampered by cumbersome implementation, differing and incompatible standards along with issues with legacy system integration.
The OASIS PKI Action Plan builds on the results of a series of surveys conducted by the OASIS PKI Technical Committee with IT staff who have deployed or attempted to deploy PKI. PKI has evolved and so too should the industry’s understanding of the technology and its ability to drive Web services and e-business, according to John Sabo of Computer Associates and co-chair of the OASIS PKI Technical Committee.
Developed by the OASIS PKI technical committee, the PKI Action Plan addresses some of the primary obstacles to widespread PKI adoption, said Steve Hanna of Sun Microsystems Inc. and committee co-chair. These adoption barriers include: poor or missing support in software applications, high costs, poor understanding of PKI among senior managers and end users, interoperability problems and lack of focus on business needs.
PKI traditionally has been difficult for organizations to deploy via trial or pilot programs. The key to adoption is two-fold, Hanna said, adding the goal is to create a compelling reason for using the technology. This includes reducing the cost of PKI deployment and usage while increasing the benefit via better “out of the box” PKI solutions, Hanna said.
There is a tentative two-year timeline for implementing this plan, in which time the technology “should be a lot more practical,” Hanna said, adding that early adopters include the government, military and financial institutions.
The initiative represents a call to action for the IT community, Hanna said, adding it outlines “clear and specific” measures for PKI use with secure e-mail, e-commerce and document signing. In creating widespread adoption there is a need for interoperability testing, improved educational materials, best practices and other measures to reduce cost, and outreach to software application vendors, according to OASIS. PKI adoption is probably further along in Canada than in the U.S. In Canada, PKI has made some inroads, particularly in public sector and the financial services industry, Hanna noted.
Members of the group include Computer Associates, Entrust, IBM and FundSERV. OASIS is currently seeking new members, including vendors such as Microsoft Corp., to join the initiative. “All PKI vendors are welcome,” Hanna said. The guidelines require the cooperation of the entire community, including customers, vendors, standards groups, researchers and government to successfully implement the Plan.
Infographic: Experts note that despite its early adoption issues, PKI is expected to grow. According to Stamford, Conn.-based IT research firm Meta Group Inc. The maturity and transparency of PKI components (embedded in the NOS, directories and file systems) will speed widespread use of encryption by 2005-2006. Through 2007, PKI-based security functions (including digital signatures and encryption) will be integrated directly into the application during the development process.