Gartner Research

Public Key Infrastructure

Published: 19 March 2008

ID: G00203458

Analyst(s): Gerry Gebel , Mark Diodati

Summary

Burton Group has updated its Identity and Privacy Strategies Reference Architecture technical position "Public Key Infrastructure" (PKI). The revision provides improved clarity around the selection and architecture of PKI systems and trust models. The document discusses federal government efforts, proper key management, and the correct use of policy in supporting a PKI.

Table Of Contents

Decision Point

Typical Requirements

  • PKI and Assurance
  • PKI Services
    • Authentication
    • Confidentiality and Integrity
    • Digital Signing
    • Key Management
  • Application Integration
  • User Transparency
  • PKI Product Requirements
  • Cryptography Requirements

Alternatives

  • Vendors and Sourcing
  • Policies
    • Policy in Context
  • Trust Models
  • Certificate and Key Management
    • Certificate Content
    • Certificate Classes
    • User Registration
    • Key Management
  • Validation
  • Repositories
  • Application Integration
  • Deployment Mode
    • Loose vs. Tight Services Coupling

Future Developments

  • XML and PKI
  • Web Services Security
  • Operating System Improvements
  • Smart Card Deployments
  • Trusted Hardware and Platforms
  • Identity Assurance

Evaluation Criteria

Statement & Basis for Position

  • Tiers and Instances Position
    • PKI Tiers Position
    • Implement a Tier 1 (externally facing) PKI
    • Implement a Tier 2 (enterprise) PKI
    • Implement a Tier 3 (local) PKI
    • Don't deploy PKI
    • Single or Multiple Instances Position
    • Deploy as many instances as are required by the applications, security zones, or business partners the tier supports
    • Unify a Tier 2 (enterprise) PKI into one instance.
    • Combining Instances Position
    • Combine externally facing and enterprise PKI
    • Combine the local PKI with the enterprise or externally facing tier
    • Do not combine PKI instances
  • Deployment Considerations Position
    • Functionality Position
    • Deploy a server-side PKI instance
    • Deploy a PKI middleware instance
    • Deploy a mobile PKI
    • Sourcing Position
    • Choose an outsource solution that matches server-side requirements.
    • Outsource to a service provider, system integrator, or trust community
    • In-source the PKI
    • Distribution Position
    • Rely on an outsource provider to control instances of CAs
    • Place RAs in tightly controlled environments
    • Place RAs as needed per business requirements
    • Provide separate CAs and RA
    • Deploy the minimum number of CAs and RAs
  • Policy Position
    • Governance Position
    • Develop a certificate policy specifying the governing organization and policies (per the IETF RFC 3647)
    • Rely on the outsource provider to develop policies.
    • Define functionality and other policies in the CPS and/or PDS
    • Define minimal additional policies for the PKI
    • Trust Models Position
    • Use a hierarchical PKI with a common trust anchor.
    • Exchange CA certificates and configure for an explicit trust relationship.
    • Use a trusted third party to bridge the PKIs.
    • Cross-certify the PKIs.
    • Registration Position
    • Use interactive or batched methods
    • Use in-person registration combined with necessary documents and background checks.
    • Registration Protection Position
    • Apply strong information protection practices to RA workstations and associated registration information technology.
  • Operations and Security
    • PKI Operational Controls Position
    • Conduct a WebTrust for CAs audit.
    • Deploy industry-prescribed PKI controls
    • Practice prudent business risk management
  • Applications
    • Signatures Position
    • Employ legal and technical best practices for the presentation and integration of signature services.
    • Encryption Position
    • Ensure that encryption certificates' key usage is set to “data encipherment.” Use symmetric session keys for bulk encryption and asymmetric keys to protect the session keys.
    • Integration Position
    • Associate with the appropriate tier.
    • Always validate certificates.
    • Use toolkits supporting standard interfaces.
    • Authorization Position
    • Do not place volatile or unusual data in X.509 certificates or implement extensions for purposes of authorization.
  • Key Management Position
    • Certificate and Key Management Position
    • Use dual key pairs by issuing separate certificates and keys for signing and encryption.
    • Use short-lived certificates (less than one year).
    • Use reasonably long-lived certificates (typically one to two years).
    • Use the longest possible key length and strongest algorithm
    • Minimize use of nonstandard industry extensions and usage policies
    • Archival and Recovery Position
    • Archive for signed content.
    • Implement secure private key recovery.
    • Implement key history archival.
    • Do not employ additional archival and recovery mechanisms.
    • Key Storage Position
    • Distribute hardware tokens (smart cards).
    • Implement roaming credentials
    • Implement software credentials.
    • Server Components Position
    • Outfit servers with appropriate hardware or software tokens, and equip CAs with HSMs
    • Use smart card lifecycle management systems to facilitate the administration of hardware tokens.
    • Do not deploy additional server components
  • Status Checking
    • Revocation Position
    • Integrate certificate revocation processes with the employee/contractor termination process, referencing general-purpose directories.
    • Validation Position
    • Use real-time validation methods.
    • Use CRL validation techniques.

Relationship to Other Components

Revision History

©2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. It consists of the opinions of Gartner’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see Guiding Principles on Independence and Objectivity.

Already have a Gartner Account?

Become a client