When did you start working with PKI?
I started working with PKI at the very beginning of this field. The people at Entrust (which was a spin-out of the Secure Networks group at Nortel) were largely responsible for defining PKI and introducing it to the rest of the world. More than just issuing certificates (which a lot of other people were experimenting with), we emphasized the full life cycle management of certificates (i.e., understanding what needs to be done with them at every stage in their life) as well as the integration of PKI into applications and processes. Concepts like two key pairs per user, key histories, key backup & recovery, and efficient alternatives to traditional CRLs were all pioneered and fleshed out (and implemented in product!) at Nortel Secure Networks and Entrust long before many others had even heard of them. Now, of course, these concepts are standard and well accepted by the industry.
How long did it take you to write "Understanding PKI: Concepts, Standards, and Deployment Considerations 2/e"? Any major difficulties?
The second edition took about 8-10 months to write. The main difficulty (as with the first edition in 1999) was to make sure we included the latest information on each topic (the world -- especially in standards -- is a rapidly-changing place), without including too many details that would quickly become out of date or obsolete. The other difficulty was in trying to strike the proper balance between an introduction to the topic and an implementer's guide. Often we were tempted to go into more detail on some topic but felt we had to hold back because that would have been the wrong level for the intended audience.
In your opinion, what are the pros and cons of PKI with proprietary software and open PKI systems that allow companies to become their own CA?
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.