Standards Slow Embedded PKI Growth

As industry struggles to find its niche, Baltimore and Entrust battle over integration specifications

As PKI vendors struggle to find new applications and markets for their technology, debate is brewing around one of the nascent standards they hope will help spur widespread implementation of public-key infrastructure in handheld devices.

While both sides contend they have users interests in mind, a protracted debate on the Extensible Markup Language Key Management Specification, or XKMS, could ultimately prevent customers from obtaining PKI-enabled devices in a timely fashion. The delay could also prove painful for a PKI industry struggling to find mass-market uses for a technology that has become somewhat of an albatross.

"This is something that we absolutely need to have," said Ty Rauber, chairman of Digital Media On Demand Inc., in Allston, Mass., regarding the mass availability of certificates in handheld devices. Digital Media is a provider of secure digital content.

At issue is XKMS, the proposed standard for simplifying the integration of digital signatures and data encryption with e-business applications. The specification is under study by the World Wide Web Consortium. Two of the major players in the PKI market, Baltimore Technologies plc. and Entrust Inc., have submitted separate, competing extensions to it.

While both proposals largely address the same problem and take similar tacks, observers say a compromise is unlikely. Thus, the task of choosing one or the other for inclusion in the final specification will fall to the newly created XKMS working group, which was due to be created last week at a W3C conference in Redwood City, Calif.

The goal for both XKMS extensions is to make it easier for manufacturers of devices such as smart cards, cell phones and cable modems to request and issue large numbers of digital certificates. Currently, each manufacturer has to build a custom software interface for each PKI vendors certificate authority.

"Today, the support of a PKI-based service requires a lot of effort from the production center to adapt to customer requirements," said Patrick George, head of technical marketing for the personalization and research and development groups at Gemplus International S.A., a Luxembourg-based smart-card manufacturer with U.S. headquarters in Redwood City. "This is definitely not efficient in our context of mass production."

In theory, the extensions will streamline the process by providing a common interface for manufacturers to use with any certificate authority.

But officials from Baltimore and other supporters of the companys proposal said its X-Bulk specification, presented last week to the W3C conference, is the only true multivendor solution. "Entrust brought out a similar thing, but it relies on their code to talk to their software, so it only solves the problem for them," said Paul Turley, market development manager at Baltimore, of Dublin, Ireland.

Entrust, not surprisingly, doesnt see it that way.

"Everyone is looking at the [XKMS] protocol and concluding that its not perfect," said Brian OHiggins, chief technology officer of Entrust, in Plano, Texas. "Work needs to be done because these embedded devices will be using our software a few years out."