piątek, 17 sierpnia 2007

Understanding Public-Key Infrastructure - Carlisle Adams, Steve Lloyd

The book is one of not too many, complex publication about PKI. It starts from explaining the asymmetric encryption idea and why such a solution is better than a symmetric encryption; this part includes also the general description of the most popular algorithms for both symmetric and asymmetric method. Then it describes quite clearly what kind of infrastructure is necessary to provide such solution and how it works. There are also mentioned the most popular services, issues and decisions linked with the PKI.

The content
The very strong positive aspect of the book is the practical approach. On page 59 it describes in details the full range of services within the PKI Infrastructure (Table 5.1), but there are also 4 other variants, where just the subset is implemented.

The chapter VII describes in details all the procedures implemented by the PKI like the Initiation, issuing, revocation plus renewing and archiving. It discuss also the communication with CA (Certificate Authority) and eventual use of RC (Registration Center). It covers also the transportation issues of public key where following solutions are possible:
· Publication out-of-band via the external channels
· To and from the public storages and databases, which provides them on the request and update in real time
· Network transport with communication protocols like secured email (S/MIME)

Chapter VIII on page 107 starts discussion about the various CRL implementations including distributed, delta CRLs and CRT tree. The description includes enlisting the benefits comparing to the basic solutions. The chapter describe also the OCSP solution, which provides the on-line and real-time solution on the top of CRL.

Chapter IX contains the interesting review of trust models. At looks like the unnecessary topic, but in fact it provides the input for quite important decisions about the shape of CA tree. Tree is in fact just the first considered model, where the next ones are based in general on cross-trust mechanisms (distributed trust).

The chapter X contains interesting discussion about the necessity of use number of key pairs for various applications and it mention SEIS (Secured Electronic Information in Society) regulations suggesting three of them:
· For encrypting and decrypting
· For signing and verification of users identity for general purpose
· For signing and verification of users identity where uniqueness of identity is the must
And it also covers the options about the storages for certificates, where LDAP is the most popular.

Chapter XXI will be great help if you need to convince decision maker about the necessity of using PKI. The most popular applications are described right there. When you start to implement the solution XXII will be at great help as all the major questions are there enlisted.

The book explains in details how the PKI works. I must say, that understanding the asymmetric idea, I still had a problem with understanding what for exactly the private and public key are used and how the whole thing works. There is no too many publication which explains in details and in practice how the infrastructure works – the book does it. It is a great starter for anybody involved within the PKI project as a user, project manager, programmer, supporter or team mate.

Also most of the topics around are covered including the legal issue (however it says just about US legislations).

It also shows the biggest problems linked with PKI solution putting a stress especially on decisions flexibility versus security. Number of problems may be solved with usage of the solution, but there is no golden rules and must to follow procedures. Most of things mentioned in the book must be customized per particular company and application.

Score: 4 (good) /6

Brak komentarzy:

web metrics