• The X.509 standard
• PKI for privacy
• The emergence of electronic signatures and accompanying legislation
• New PKI initiatives supported by the XML standards bodies
• 
  
  In addition to this specific information, the authors lend their informed opinions on how emerging trends will drive the expansion of PKI.
  
  
  
  0672323915B10162002
  
  
  About the Author
  
  
  Carlisle Adams is recognized internationally for his many contributions to the design, specification, and standardization of public-key infrastructures. He is senior cryptographer and principal of security at Entrust, Inc. He has been an active participant in the IETF Public-Key Infrastructure X.509 (PKIX) and Common Authentication Technology (CAT) working groups.
  
  
  
  Steve Lloyd has more than 20 years experience in data communications and distributed systems security. His areas of expertise include distributed message handling systems and directory services, TCP/IP, security protocols, security architectures, and large-scale Public-Key Infrastructure policy and technology. He is currently manager of IT security consulting at AEPOS Technologies Corporation.
  
  
  
  0672323915AB10042002
  
  
  Excerpt. © Reprinted by permission. All rights reserved.
  
  
  Without doubt, the promise of public-key infrastructure (PKI) technology has attracted a significant amount of attention in the last few years. Hardly a week goes by without some facet of PKI being addressed in a newspaper, trade journal, or conference paper. We hear and read about the promise of authentication and non-repudiation services provided through the use of digital signature techniques and about confidentiality and key management services based on a combination of symmetric and asymmetric cryptography—all facilitated through the realization of a supporting technology referred to as PKI. In fact, many people consider the widespread deployment of PKI technology to be an important enabler of secure global electronic commerce.
  
  
  
  Although the foundation for PKI was established over two decades ago with the invention of public-key cryptography, PKI technology has been offered as a commercially viable solution only within the last few years. But what started as a handful of technology vendors a few years ago has seen the birth of dozens, perhaps hundreds, of products that offer one form or another of PKI-related service. Further, the commercial demand for PKI-based services remains strong, and available evidence suggests that this will continue for the foreseeable future.
  
  
  
  Still, as a technology, PKI is fairly new. And to many, PKI technology is shrouded in mystery to some extent. This situation appears to be exacerbated by the proliferation of conflicting documentation, standards, and vendor approaches. Furthermore, there are few comprehensive books devoted to PKI that provide a good introduction to its critical concepts and technology fundamentals.
  
  
  
  Thus, the authors share a common motivation in writing this book: to provide a vendor-neutral source of information that can be used to establish a baseline for understanding PKI. In this book, we provide answers to many of the fundamental PKI-related questions, including
  
  

• What exactly is a PKI?
• What constitutes a digital signature?
• What is a certificate?
• What is certificate revocation?
• What is a Certification Authority (CA)?
• What are the governing standards?
• What are the issues associated with large-scale PKI deployment within an enterprise?

Motivations for PKI

• Reduce administrative overhead (when compared with the deployment of multiple point solutions)
• Reduce the number of passwords required by end user s (and, consequently, the administrative and help desk costs associated with managing them)
• Reduce paperwork and improve workflow efficiencies through more automated (and more secure) business processes
• Optimize work-force productivity (by ensuring that users spend less time contending with the security infrastructure and more time on the job at hand)
• Reduce requirements for end-user training related to the use of the security services (because there is one security solution rather than many)

Changes in the Second Edition

• Chapter 14, PKI in Practice, looks at the use of this technology in the real world and tries to clarify where PKI can be beneficial and where it cannot.
• Chapter 15, The Future of PKI, is based upon an observation of how the world has been evolving and attempts to answer the question: Will this technology survive and, if so, why?

• Chapter 5, PKI-Enabled Services, now includes a section on privacy as a service that may be enabled by a PKI.
• Chapters 6, Certificates and Certification, and 8, Certificate Revocation, have been updated to reflect new extensions and clarification text that were introduced in the X.509 (2000) standard.
• Chapter 9, Trust Models, now incorporates material on several additional trust models that may be appropriate in some environments.
• Chapter 13, Electronic Signature Legislation and Considerations, has been revised and updated to reflect the significant progress that has been made in that area since late 1999. * The whole of Part II, Standards, has been updated to incorporate the latest achievements in that area, as well as the new initiatives that have been started, especially in the eXtensible Markup Language (XML) standards bodies. Numerous other, more minor, updates and revisions may be found throughout the book.

Audience

Organization

1. It provides an overview of the major standards bodies involved in the PKI arena and discusses the main focus of each group, giving a road map to some of these activities.
2. It demonstrates the relative maturity and stability of this area, highlighting the fact that a solid basis for implementation and interoperability has already been laid.

Part I: Concepts

Part II: Standards

Part III: Deployment Considerations

Vendor-Neutral Policy

Great PKI Project Manager's Guide/tutorial/overview, January 26, 2000
I gave this five stars for the breadth of coverage. I don't need yet another book on cryptography -- I already have a shelf full. Carlisle and Steve cover the PKI turf without getting unnecessarily bogged down in technical details. For example, they cover the functions and differences of ECDSA versus ECDH in about a paragraph. If you want to know how the algorithms work, read Applied Cryptography. This has a clear, concise, and non-technical explanation of just about every concept, standard, and issue a project manager would need to know about PKI. I give credit for not trying to cover the technical issues in depth -- rather, this takes the approach of: here's the issue, here are the alternatives, and if you want to know more read ...The concepts and issues are very current, and cover proposed and draft standards, including Privilege Management Infrastructure, certificate revocation mechanisms, trust models, etc. Excellent coverage!

Excellent PKI reference, October 30, 2000
Pundits, the press, and other elements of the cognoscenti invariably attempt to make every year "the year of" something. For whatever else 2000 might be the year of, many technology periodicals have proclaimed it the year of public key infrastructure, or PKI. Didn't know that? Many people don't even understand the term, which is neither descriptive nor intuitive.

In the physical world, trust is built through a complex web of social, legal, national, international, and business transactions that can take years or decades to develop. Items such as driver's licenses or passports create trust, because they are underwritten by the issuing authority. Unfortunately, the same level of trust is much harder to implement in the electronic world. One way to do so is via PKI.

As an example, one can use a passport for identification in the physical world. The cyberspace equivalent could be a digital certificate for authentication. Similarly, ink-based signatures are used on binding contracts. In the digital world, digital signatures are used to ensure a concept called nonrepudiation, by which the party involved in a process cannot later deny that he or she took part in it.

Understanding Public-Key Infrastructure is a guide to the effective deployment of PKI. The authors do a great job of covering the critical areas of PKI, including certification, operational considerations, standardization efforts, and deployment issues.

The authors deserve credit for producing a guide that avoids getting bogged down in minutiae and other technical details. Their approach is to cover a topic at a broad level, delve into some detail, then refer the reader to an appropriate source for particulars. They are also obsessively vendor-neutral.

This is an important book for those who expect to do e-commerce. Because whether anyone realizes it or not, this is the year of the PKI.

This review of mine originally appears at http://www.securitymanagement.com/library/000859.html

comprehensive and still very readable: a must!, June 4, 2000
I'm giving courses on PKI. I was looking for a good reference for my students. Finally found one! I read it cover to cover: comprehensive, very easy to read, vendor-neutral (very important to me), not biaised: also gives you the pros and cons, issues with PKI. A must to read if interested in PKI.

Nearly worthless, March 23, 2003
I bought this book because of the excellent reviews it got. However upon reading this I can't see any justification for these reviews. First of all it is very high level; I mean appropriate for your manager's, manager's manager maybe. This book is all about fawning over Diffie Hellman and philosophizing about how pki should be used etc. There is no technical information in this book, no code, no flow charts, no diagrams, no data structures. It doesn't even explain how pki is applied, for example to ssl. All the real information in this book could have been condenced to a few pages. I really needed this book to be good and it was not. Look if you want to go to a cocktail party and impress someone with no technical exposure then maybe this is your book. Otherwise there must be better choices.

Complete and succinct discussion of PKI, April 25, 2000
"Understanding Public-Key Infrastructure" is well written and is a terrific book. It is the most complete and succinct book available on the subject of PKI. Other books deal with various detailed aspects of Public-Key Infrastructure, but this particular book is the best available in forming a clear overall perspective of the subject area. A great book for managers or technical readers which are looking for good, solid information but which don't want excessive details. I enjoyed the book, and feel the authors did an excellent job in describing the subject of PKI. The approach taken in this book is useful, not hyped. The coverage is broad and extensive but not encumbered by inordinate detail about algorithms and protocols. Explanations are clear and concise.

I am pleased to recommend the book to anyone looking for a very good, succinct but thorough treatment of the subject area.

Wonderful overview, November 21, 2000
This is an excellent summary and overview of a difficult topic. It simplifies and explains without removing important detail or obscuring unsolved problems. It's an excellent book for technical people new to PKI, or for manager/business types who need a deeper understanding of the technology. I bought extra copies to hand out at work to people who needed to know this stuff.

Great Overview of PKI from Entrust's Top Cryptographer, May 30, 2000
This book gives a great overview of PKI for the corporate descision maker who is trying to deside if PKI is a required solution. More theory than technical, this book is a good primer for the technology.

Although the authors work for Entust and they claim there is no prejudice in the book, they still recommend 'best practices' that just so happen to be only available via Entrust.

Despite the bend toward Entrust solutions, this is still a great buy.

PKI book that makes sense, May 21, 2001
Carlisle and his co authors have written a book that will allow the Security practioner, as well as the Security techie, to understand the basics of PKI Infrastrucutres. I had the opportunity to meet Carlisle at the Secure Summit this past Jan., and we had a very interesting dicussion about this book, how he came to write it, etc. Just sorry I didn't have my copy for an autograph. I have ordered my 2d copy, sent the first copy I bought to a buddy who needed to understand the innnards of PKI. This book is an easy read but loaded with good data on PKI. I would recommend this book to managers who need to understand PKI but don't need to do the technical pieces. For my part, I am Security professional with over 30 years experience.

Has value for Technical Architects / Security Analysts, May 7, 2004
I think there's some merit to people expecting a more hands on approach in a book like this. But those expectations seems unrealistic. The book is not titled "Implementing PKI," it's called "Understanding PKI."

There is value in a concepts book. For experienced technical professional trying to get a grip on the terminologies and concepts of security and PKI, this book is succinct and touches all the major points.

For those looking for screenshots of people right clicking icons, there's a thousand other books like that! Most of those so called "technical books" are not that technical. It's nice to have a book that's not product specific for a change.

This book does what it intends to do well. There is a need for more technical books but this book is valuable in it's present form. I have given several copies to peers.

I hope this review helps you balance out your opinions before deciding for or against this book.

Brian Wilson must work for Verisign..., February 25, 2001
Its not Entrust's fault if they are the only PKI vendor that actively supports standards, develops the most technologically advanced and secure PKI solutions, and carry out the best practices.