Preface
Most of the books on public key infrastructure (PKI) seem to focus on asymmetric cryptography, X.509 certificates, certificate authority (CA) hierarchies, or certificate policy (CP), and certificate practice statements (CPS). While algorithms, certificates, and theoretical policy and practices are all excellent discussions, the real-world issues for operating a commercial or private CA can be overwhelming. Pragmatically, a PKI is an operational system that employs asymmetric cryptography, information technology, operating rules, physical and logical security, and legal matters. Much like any technology, cryptography, in general, undergoes changes: sometimes evolutionary, sometimes dramatically, and sometimes unknowingly. Any of these can cause a major impact which can have an adverse effect on a PKI’s operational stability. Business requirements can also change such that old rules must evolve to newer rules, or current rules must devolve to address legal issues such as lawsuits, regulatory amendments, or contractual relationships. This book provides a no-nonsense approach and realistic guide for operating a PKI system.
In addition to discussions on PKI best practices, this book also contains warnings against PKI bad practices. Scattered throughout the book are anonymous case studies identifying good or bad practices. These highlighted bad practices are based on real-world scenarios from the authors’ experiences. Often bad things are done with good intentions but cause bigger problems than the original one being solved.
As with most new technologies, PKI has survived its period of inflated expectations, struggled through its disappointment phase, and eventually gained widespread industry adoption. Today, PKI, as a cryptographic technology, is embedded in hardware, firmware, and software throughout an enterprise in almost every infrastructure or application environment. However, it now struggles with apathetic mismanagement and new vulnerabilities. Moore’s law continues to erode cryptographic strengths, and, in response, keys continue to get larger and protocols get more complicated. Furthermore, attackers are becoming more sophisticated, poking holes in cryptographic protocols, which demands continual reassessments and improvements. Consequently, managing PKI systems has become problematic. The authors offer a combined knowledge of over 50 years in developing PKI-related policies, standards, practices, procedures, and audits with in-depth experience in designing and operating various commercial and private PKI systems.