Keon: PKIs Answer?

RSA plug-in may hurdle barriers to public-key security.

Download the authoritative guide: How to Develop an IT Security Strategy

PKI technology has en-joyed little acceptance in the enterprise, despite the fact that users are clamoring for more security everywhere. Its a fact not lost on cryptography vendors.

One of them, RSA Security Inc., hopes to change the technologys fortunes when it unveils next week new software that attempts to remove two of the major barriers to public-key infrastructure deployment: application integration and end-user invisibility.

RSAs Keon Web Passport builds on a concept VeriSign Inc. introduced last year under the name Personal Trust Agent, according to company officials in Bedford, Mass. PTA and, now, Web Passport employ a small, downloadable module to bridge applications to PKI certificates without having to build PKI support into the application itself. The Keon product, a 700KB plug-in, will support most major applications, including messaging programs that use Secure Multipurpose Internet Mail Extension, all Web browsers and secure forms as well.

But Web Passport goes further, RSA officials said, as it automates the certificate enrollment process. When a user visits a Keon-enabled Web site but lacks a certificate, Keon issues the plug-in and then retrieves a certificate (which could be from any of the major certificate authorities). The user is then enrolled based on information stored in a Lightweight Directory Access Protocol directory. Bottom line: The end client doesnt have to do anything but accept the plug-in download to start using PKI.

Since Keon works with any application and any certificate and takes the end user out of the enrollment process, the hope is that the software will make PKI at once less visible and more widely accepted.

So far, the key applications for PKI have been single-sign-on and virtual private network authentication. But most vendors, over the long term, envision a world where PKI is used in everyday external, Web-based transactions.

In the short term, however, RSA officials understand users will start with smaller, probably internal deployments and gradually give certificates to customers and partners over the Web.

Electronic Data Systems Corp. is starting with single sign-on. Gavin Grounds, director of information assurance services at the Plano, Texas, company, believes PKI is on the cusp of legitimization. "PKI has for a long time been stuck in that paradox—we want something immensely secure and immensely simple," Grounds said. "I think we are just now finally starting to get there."

Chris Smith, director of IT at Eastern Corp. Federal Credit Union, in Woburn, Mass., has used PKI since 1997 but believes its on the verge of a breakthrough. "It hasnt been without challenges," said Smith, who uses PKI for authenticating his own users. "Even with a very narrow implementation and with mainstream applications, we had to plug holes we shouldnt have. Software like Keon could really open up what we do with PKI."

But its no guarantee, as security analyst Steve Gibson points out.

"The problem to date has been its just not transparent enough," said Gibson, who runs Gibson Research Corp., in Laguna Hills, Calif. "While this could help, I dont think anything will get truly better until the operating system gets much tighter integration with PKI."

RSA is beta testing Keon Web Passport, which wont ship until the first quarter of next year.