PKI Tells Who Goes There?

Baltimore masters policies; Entrust is well-rounded; RSA client shines; VeriSign tops at outsourcing

Pki technology is in demand because the Internet is easy to tap, IP data is simple to decode and computer users often make up personas at will.

Based on a request for public-key infrastructure proposals from The Prudential Insurance Co. of America, eWeek Labs came up with a plan to test the implementation and management of a complete PKI installation.

The criteria used to assess products in this eValuation included the ability to set up a CA (certificate authority) and RA (registration authority), bulk key and certification generation, certificate revocation, key escrow and recovery, certificate renewal, and directory support and integration.

We reviewed Baltimore Technologies plc.s UniCert 3.5, Entrust Technologies Inc.s Entrust 5.01, RSA Security Inc.s Keon 5.5 and VeriSign Inc.s OnSite 4.51; the latter is the only proposal for an outsourced service that Prudential received.

In addition, we examined the products ability to cross-certify, which is when one CA agrees to trust certificates issued by a different CA. In accordance with Prudentials needs, we tested each products integration with Lotus Development Corp.s Notes using the Secure Multipurpose Internet Mail Extension protocol. If the PKI vendor provided a client agent, we evaluated that as well.

Although no product won in all categories, Entrust, with its Entelligence desktop client, was the strongest overall product. For companies looking to outsource a PKI, VeriSigns is the first service to consider. RSAs Keon Desktop proved to be an attractive PKI client front end, and Baltimore was the clear leader when it came to using policies to manage a PKI environment.

Baltimores UniCert 3.5

unicert 3.5 has a killer ca and useful policy-based administration but lacks a desktop client. In this situation, an organization might want to use Baltimores CA with another client, such as RSAs Keon Desktop.

The lack of a client limits the ability of UniCert users to roam (use certificates and keys at different machines) without the use of hardware tokens. Further, application integration is usually handled by the client, and sites using Baltimores product will likely need to add a desktop client.

However, Baltimore offered a stronger CA than the other products. For starters, the CA runs on a wide variety of operating systems, including Windows 2000 and the gamut of Unix versions. Baltimore also has an extensive GUI that made it a snap to see the overall structure of the CAs and RAs. A strong policy editor gave us detailed control in defining what information was needed to create a certificate.

Baltimore has mastered the certificate renewal process. UniCert has a simple-to-use and flexible policy interface that enabled us to notify users when only 30 percent of their certificates life remained. It was also easy to set up certificates so that several users would have to sign a certificate before it was valid, and we could require that these signers be of a certain rank.

UniCert, more than any other product we tested, effectively uses centrally developed policies to distribute its administration. The product did stumble when it came to trusting other CAs and cross-certifying anything other than another Baltimore CA.

Lotus Notes has its own security protocols and is not very open to being managed by other products. Baltimore officials used the companys MailSecure module for integration with Notes and, although the process was far from seamless, it did work.

The list price for a Baltimore installation is $36,000 for the UniCert basic setup, including the CA and RA. Companies will likely need the Advanced Registration Module to handle certificate creation, which is another $20,000, and one-time user fees range from $16,000 for 1,000 users to $100,000 for 10,000 users.

Entrusts Entrust 5.01

entrusts pki was a well-rounded powerhouse when used with the companys Entelligence desktop client. Without the client, the Entrust 5.01 CA was nearly indistinguishable from the others in the lineup.

Entelligence gave us time-stamped audit logs and even backdated certificate revocation. The latter would be useful in cases where a user compromised access to a certificate but was not sure how long ago the compromise took place. Using the Entelligence client, we were also able to provide single sign-on as well as roaming sign-on.

One weakness of Entelligence is that users cannot revoke their own certificates, which would be very handy. This is because if a certificate has been compromised, its likely that the user will realize it before anyone else.

Another feature that companies should look for in a PKI proposal, one that Entrust and several other vendors provide, is integration with various hardware authentication devices, such as smart-card readers and biometric devices.

Entrust uses a service from ValiCert Inc. to provide support for OCSP (Online Certificate Status Protocol), which was developed by VeriSign and is widely used for real-time validation of certificates.

We were also able to mandate that more than one approval had to be secured when issuing certificates. Finally, the product can use a component called TruPass to provide decent roaming access via a Web browser.

Entrust costs $25,000 for the base installation, excluding user licensing. Certificates for 5,000 to 10,000 users, which are valid for two years, range in price from 75 cents to $1.50 per certificate.

RSAs Keon 5.5

rsas keon 5.5, like the baltimore and Entrust products, is designed for organizations that want to manage and maintain their own PKIs, and it comes with a very good client. The client, Keon Desktop, provided us with an array of features, including a single, secure sign-on; desktop file encryption; inactivity protection; and a secure credential store on the PC.

Although Keon Desktop does have a secure mail function that integrates with Microsoft Corp.s Internet Explorer browser, companies that use the same code with Netscape Communications Corp.s Navigator browser will need to install some additional modules. The Keon system, which lacks integration with Notes, fell short in this area in tests, although RSA officials used a manual process to integrate the two products.

Keon Desktop works with a number of other systems, including Baltimores. Prudential technicians were concerned about having to manage PKI products from more than one vendor, however. We suggest that organizations not go out of their way to cobble together a PKI solution.

Keons CA was the weakest that we saw, lacking features such as automatic certificate issuance, key escrow and certification renewal. For example, the Keon system was unable to generate an automatic message that a certificate was about to expire.

Although Keon doesnt provide direct support for OCSP, it does provide access to ValiCerts service. Keon allows the designation of trusted CAs but does not have a well-developed ability to handle cross-certification.

A full implementation of Keon Advanced PKI, which includes Keon Desktop, costs anywhere from $175,000 for 1,000 users to $990,000 for 10,000 users. Although this list price is higher than that of any other product in the eVal, we caution readers to keep in mind that prices are not based on strict module-to-module comparisons. If anything, RSAs pricing was probably somewhat more forthright and should give IT managers a realistic glimpse of what a real PKI installation will cost.

VeriSigns OnSite 4.51

when it comes to outsourcing, VeriSign is king. OnSite 4.51 has good certificate-handling capabilities, and VeriSign has an impressive reputation for security and redundancy at its hosting sites. The vendors security practices have passed the American Institute of Certified Public Accountants tough Statement on Accounting Standards 70, Level 2 audit, which includes an on-site audit and proof of practice demonstrations.

VeriSign makes its bread and butter from issuing certificates, and from our tests, we could see that it has mastered the art. Automatic issuance and renewal of certificates were straightforward and efficient.

In this vein, OnSite has strong certificate management practices. For example, it can synchronize directories with security providers such as Oblix Inc. As one would expect, OnSite uses VeriSigns OCSP natively to do real-time certificate validation.

Using a new component called Personal Trust Agent, OnSite 4.51 has better roaming capabilities than earlier versions did. Of the PKI providers we saw, VeriSign was the best at integrating its product with Notes, which it accomplished via a no-cost Go Secure module. VeriSign has a number of these Go Secure modules, which consist of documentation on how to integrate various products with OnSite.

Because VeriSign provides an outsourced PKI, it is possible that an organization could be up and running in as little as a couple of months if certificate procedures are minimal and application integration is already available from VeriSign. It seems likely that organizations that contract with VeriSign will get a decent pilot project off the ground in good working order.

The trade-off for this fast startup is more than likely high costs over the long run. VeriSigns list prices range from $70,000 per year for 1,000 users to $220,000 per year for 10,000 users. This price isnt per certificate; users may get as many certificates as needed. Also, keep in mind that these are concurrent-use licenses, not licenses for the total number of users.

One problem that companies will likely face after a couple of years, assuming PKI implementation is running smoothly—a big assumption—is that the fixed costs for VeriSign remain the same as when the project is put in place. And if a company decides to leave VeriSign, all the real expertise stays with VeriSign.