170 7.1 PKI and you
PKI and you
In Chapter 6, we briefly covered Public Key Infrastructure (PKI). This
chapter is devoted to this topic. We have discussed SSL, encryption, and
certificates. Now we are going to focus on Public Key Infrastructure. PKI is
slowly immersing itself into the business enterprise. Lotus Notes has had a
PKI since Release 1.0. For an effective PKI to be implemented, however,
you will need to have some idea of what this beast is. As you might guess,
public key cryptography requires a public key infrastructure. What is driv-
ing this use of PKI are applications and access to those applications. Busi-
nesses around the world are deploying new generations of business-critical
applications, and in many cases, these are distributed applications. These
applications are serving the following types of environments: customer to
business; business to business; and employees to business.
7.1.1 Customer to business
This environment is one in which the customer will use the Internet to
interact with a business. Customer-to-business access is not only to "buy"
something. Following are a few examples of other uses this type of access
provides. It can:
• Look up information on a product or service
• Inquire or make a change to an order
• Place an order
• Send an e-mail with a question regarding the company's offerings
There are a lot of reasons for a customer to use the Internet. Do you
have to authenticate with each of these reasons? No, you only need to
authenticate in those areas where you need to identify the user. Interestingly
enough, implementing a PKI for the general public is somewhat difficult.
You will see why a bit later.
Business to business
This environment is where PKI can really shine. You will see that by using
some type of PKI, you can determine whom you are doing business with
and use that information to track and verify transactions. PKI can be very
useful in the high-volume transaction and mobile world of Internet com-
merce. It provides risk management control for business systems.
7.1 PKI and you 171
Employees to business
This environment is another example of how PKI can help an organization.
PKI can provide a secure mechanism to transfer mail not only inside the
organization but also outside the organization. Also, there are the benefits
of being able to have a secure transaction and access based on a certificate.
You could even set up a central certificate database (LDAP) and authenti-
cate using it as your authoritative source.
With all that said, let's review: PKI is the use of public key cryptography via
some type of network (for our discussion~the Internet). In most cases, a
standard public-private key system will be used. This PKI will include sev-
Certificate authority (CA)
The CA issues, verifies, renews, and revokes digital certificates. A certificate
includes the public key or information about the public key and may even
offer a directory to store the public key.
The management system
There are many different implementations of PKI in the marketplace.
Many of these systems are shipped with a web server or are offered as a
stand-alone program. The keys are typically created simultaneously using
the same algorithm by a certificate authority.
Following are some of the features that we will be working with when using
• Certification~Remember when we talked about binding a user to a
certificate? This is certification, the process of binding a public key
value to a person or system.
• Authentication~Again, we already talked about this. This is the pro-
cess of allowing access into a system based on a set of credentials. This
does not guarantee authorization. Once we know who you are, then
we can authorize you. Do you see the relationship between the certif-
icate and binding? We bind you to a certificate via certification, then
we authorize into the subsystem. Then you are authorized to perform
a function (access, read, write, etc.).
I Chapter 7