When did you start working with PKI?
I started working with PKI at the very beginning of this field. The people at Entrust (which was a spin-out of the Secure Networks group at Nortel) were largely responsible for defining PKI and introducing it to the rest of the world. More than just issuing certificates (which a lot of other people were experimenting with), we emphasized the full life cycle management of certificates (i.e., understanding what needs to be done with them at every stage in their life) as well as the integration of PKI into applications and processes. Concepts like two key pairs per user, key histories, key backup & recovery, and efficient alternatives to traditional CRLs were all pioneered and fleshed out (and implemented in product!) at Nortel Secure Networks and Entrust long before many others had even heard of them. Now, of course, these concepts are standard and well accepted by the industry.
How long did it take you to write "Understanding PKI: Concepts, Standards, and Deployment Considerations 2/e"? Any major difficulties?
The second edition took about 8-10 months to write. The main difficulty (as with the first edition in 1999) was to make sure we included the latest information on each topic (the world -- especially in standards -- is a rapidly-changing place), without including too many details that would quickly become out of date or obsolete. The other difficulty was in trying to strike the proper balance between an introduction to the topic and an implementer's guide. Often we were tempted to go into more detail on some topic but felt we had to hold back because that would have been the wrong level for the intended audience.
In your opinion, what are the pros and cons of PKI with proprietary software and open PKI systems that allow companies to become their own CA?
Proprietary software, in any product, allows greater sophistication and fancier features. Open, standardized interfaces allow interoperability. While every company gets to make this choice for themselves, it is apparent that most customers prefer open products. They want to know that they won't get stuck if the vendor they're dealing with goes out of business; they want to know that the product they buy to do X will be able to interwork with another product they've bought to do Y. As for companies being their own CA, this is very important in some environments, as is the outsourcing model in other environments. This is why several PKI vendors today offer both options.
PKI is rapidly maturing as a security solution, how do you envision the future for PKI?
We tried to cover exactly this question in Chapter 15. In short, I believe that the future is quite healthy, but many are now starting to realize that PKI is only a part of the overall security landscape. PKI offers things that other technologies can't offer (such as digital signatures), but it doesn't do everything. Environments still need virus scanners, firewalls, privacy infrastructures, and so on.
What are your future plans? Any exciting new projects?
6. I'm involved in authorization architectures, authorization policy languages, and security for Web services, among other things. There's no shortage of new and exciting things in the security field these days!